Solved

Set cookies HttpOnly and Secure

Posted on 2016-11-10
4
51 Views
Last Modified: 2016-11-14
Have added the following in web.config for my SharePoint 2013 website but there are 3 or more cookies that do not seem to respect the below setting.

<httpCookies httpOnlyCookies="true" requireSSL="true" domain="" lockItem="true" />

Open in new window


Cookies:
  1. SearchSession
  2. WOPISessionContext
  3. WSS_FullScreenMode

What else should I do to ensure all SharePoint cookies are set to be HttpOnly and Secure ? This is for security scanning purposes.
0
Comment
Question by:hongjun
  • 2
4 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41883371
What is setting those cookies?  If it is JavaScript in the pages, the settings in web.config have no effect.
0
 
LVL 33

Author Comment

by:hongjun
ID: 41883397
@Dave

Yes am aware cookies created by JavaScript will have no impact. Do you know how SP creates these cookies then?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41883404
Which cookies and which application?  'web.config' only controls things done thru the server and probably not even all of them.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 41883717
WOPISessionContext cookies - from Office Web App in a SharePoint 2013 libraries. e.g. When the browser opens up any web part, it will have the "WOPISessionContext" cookie set by SharePoint. Example, one of such Web Apps may allow redirects to a specific URL by setting a cookie using its web app codes and you can set the flags herein
window.document.cookie = "WOPISessionContext=http://client1.mydomain.com/project11210/default.aspx;path=/";
Likewise this may be via JS and not covered as per config.

Same goes for "WSS_FullScreenMode" which is mostly in objects and methods that comes with the Sharepoint JavaScript libraries e.g. (SP.Runtime.js) and they are objects used in the Sharepoint App. It is non-trivial but possible to "hunt" down the app stating this in the .js libraries, example
var context = SP.ClientContext.get_current();

var request = new SP.WebRequestInfo();

//Set the Url, HTTP Method and Accept Headers
request.set_url( “http://uvo1vnoxg7xeb0u4dm1.env.cloudshare.com/WebAPI005/api/values” );
request.set_method(“GET”);
request.set_headers({ “Accept”: “application/json” });
var response = SP.WebProxy.invoke(context, request);
      context.executeQueryAsync(successHandler, errorHandler);
The "SearchSession" Cookie is like due to the Search web part or related app performing "search" using .js libraries. But note that SharePoint 2013 doesn't use Session cookies by default, but rather persistent cookies. There is PS to set in SharePoint to use session cookies for the SAML token service e.g.
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $true
$sts.Update()
https://msdn.microsoft.com/en-us/library/office/hh147183(v=office.14).aspx

Not sure if we can do all the setting if we can identify those app and goes specific or have a global setting for cookies. But minimally need to know what are the underlying appl in the SharePoint will be a good start, see this PS http://www.dev4side.com/en/blog/posts/2014/07/07/how-to-retrieve-all-apps-installed-on-a-sharepoint-2013-web-application-through-powershell
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
The viewer will learn how to count occurrences of each item in an array.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now