Solved: Authentication Cookies are missing the Secure flag

adevegowda · 07-27-2018 09:09 AM

We found that the Authentication/session cookies did not have the Secure Flag attribute set in the Edge UI.

Impact: If secure flag is not set, a cookie is considered safe to be sent in the clear over unsecured channels; allowing an attacker the ability to capture and replay the cookie or hijack an active session.

Here are the Cookies where we don't see Secure flag:

https://<Edge-UI-URL>/

Set-Cookie: PLAY_SESSION=; Max-Age=0; Expires=Thu, 24 May 2018 21:27:33 GMT; Path=/platform
Set-Cookie: PLAY_FLASH=url=%2F; Path=/; HTTPOnly
Set-Cookie:
PLAY_SESSION=<token>csrfToken=<token>; MaxAge=86400;
Expires=Fri, 25 May 2018 21:27:33 GMT; Path=/; HTTPOnly</div>

Can you please let me know how to make the Authentication cookies secure ?

adevegowda

To set Secure flag for Authentication Cookies, we need to follow the below steps:

Open the /opt/apigee/customer/application/ui.properties file in an editor. If the file does not exist, create it.
Set the property session.secure to true in the /opt/apigee/customer/application/ui.properties file as shown below:
```
conf_application_session.secure=true
```
Save your changes.

Restart the Edge UI:

/opt/apigee/xapigee-service/bin/apigee-service edge-ui restart

Post this change, we could see that second PLAY_SESSION cookie had the Secure flag.

You can run the curl command to check the values of Cookies.

curl -i https://<EdgeUI URL>

Here's some context on which information has to be secure:

The PLAY_SESSION can be of two types:

One that contains the access and refresh tokens. This one should be Secure.
There could be another PLAY_SESSION that is blank, with path /platform. Since it's blank and does not contain any key/confidential information, it doesn't need to be SECURE.
Also, The PLAY_FLASH does not have auth related information, so it does not need to be secure.

View solution in original post

adevegowda