[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Set cookies HttpOnly and Secure

Posted on 2016-11-10
4
Medium Priority
?
722 Views
Last Modified: 2016-11-14
Have added the following in web.config for my SharePoint 2013 website but there are 3 or more cookies that do not seem to respect the below setting.

<httpCookies httpOnlyCookies="true" requireSSL="true" domain="" lockItem="true" />

Open in new window


Cookies:
  1. SearchSession
  2. WOPISessionContext
  3. WSS_FullScreenMode

What else should I do to ensure all SharePoint cookies are set to be HttpOnly and Secure ? This is for security scanning purposes.
0
Comment
Question by:hongjun
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 41883371
What is setting those cookies?  If it is JavaScript in the pages, the settings in web.config have no effect.
0
 
LVL 33

Author Comment

by:hongjun
ID: 41883397
@Dave

Yes am aware cookies created by JavaScript will have no impact. Do you know how SP creates these cookies then?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 41883404
Which cookies and which application?  'web.config' only controls things done thru the server and probably not even all of them.
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 41883717
WOPISessionContext cookies - from Office Web App in a SharePoint 2013 libraries. e.g. When the browser opens up any web part, it will have the "WOPISessionContext" cookie set by SharePoint. Example, one of such Web Apps may allow redirects to a specific URL by setting a cookie using its web app codes and you can set the flags herein
window.document.cookie = "WOPISessionContext=http://client1.mydomain.com/project11210/default.aspx;path=/";
Likewise this may be via JS and not covered as per config.

Same goes for "WSS_FullScreenMode" which is mostly in objects and methods that comes with the Sharepoint JavaScript libraries e.g. (SP.Runtime.js) and they are objects used in the Sharepoint App. It is non-trivial but possible to "hunt" down the app stating this in the .js libraries, example
var context = SP.ClientContext.get_current();

var request = new SP.WebRequestInfo();

//Set the Url, HTTP Method and Accept Headers
request.set_url( “http://uvo1vnoxg7xeb0u4dm1.env.cloudshare.com/WebAPI005/api/values” );
request.set_method(“GET”);
request.set_headers({ “Accept”: “application/json” });
var response = SP.WebProxy.invoke(context, request);
      context.executeQueryAsync(successHandler, errorHandler);
The "SearchSession" Cookie is like due to the Search web part or related app performing "search" using .js libraries. But note that SharePoint 2013 doesn't use Session cookies by default, but rather persistent cookies. There is PS to set in SharePoint to use session cookies for the SAML token service e.g.
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $true
$sts.Update()
https://msdn.microsoft.com/en-us/library/office/hh147183(v=office.14).aspx

Not sure if we can do all the setting if we can identify those app and goes specific or have a global setting for cookies. But minimally need to know what are the underlying appl in the SharePoint will be a good start, see this PS http://www.dev4side.com/en/blog/posts/2014/07/07/how-to-retrieve-all-apps-installed-on-a-sharepoint-2013-web-application-through-powershell
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Check out what's been happening in the Experts Exchange community.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question