XF 2.0 HTTP Only Cookies

[Nirjonadda]

I want add rules for HTTP Only Cookies but Having problem from COOKIE: xf_session attributes are set twice.

# Secure cookie with HttpOnly
Header always edit Set-Cookie (.*) "$1; HTTPOnly"

Why its adding Some attributes are set twice?

Set-Cookie xf_session=jvyzZlRlRQKYSrOkqswLnVD2vQNQmE63; path=/; secure; HttpOnly; HTTPOnly

 

[Mike]

The change you're making is very likely to break things. Please don't apply it. We use HTTP-only cookies where appropriate.

 

[Nirjonadda]

The change you're making is very likely to break things. Please don't apply it. We use HTTP-only cookies where appropriate.

Then xf_csrf, The cookie is missing the HttpOnly flag.

 

[Mike]

Cookies without the flag are valid and can be accessed via JS. This is intentional.

 

[Sabermaster]

I hate to kick in on this one here, but is there any way to make all cookies secure without breaking things?

 

[Etherus]

Our detectify scan also started to warn on this:

Vulnerable Cookie: xf_csrf
HttpOnly: No

Information:
https://support.detectify.com/customer/portal/articles/1969826-missing-httponly-flag-on-cookies

 

[ActorMike]

@Mike Can you confirm that the alert "'httpOnly' flag is not set on this cookie." from the website header checker https://securityheaders.com/ is still not a concern in 2020?

I understand these are just general advisements and not necessarily an error or risk. We've been tightening down security on the server headers this weekend.

Mike

 

[Mike]

The settings we apply to the cookies are still correct.

 

[buzzkc]

I've had several members complain about getting a "Not Secure" messages on the new Edge and Firefox browsers. The xf_csrf cookie was the only thing I found on any of the posts showing as unsecure. Is this a false positive or something I can correct in the configuration?

 

[Mike]

I'm pretty sure what you're referring to is when the site doesn't use HTTPS. Looking at the URL in your customer area, you do support HTTPS but you don't seem to enforce it. You can enforce that via .htaccess or by enabling "Enable board URL canonicalization" (provided your board URL is correct/using HTTPS).

 

[buzzkc]

@Mike Thank you for the suggestion, but it didn't seem to help. We are enforcing the url to https. The Enable Board URL Canonicalization was unchecked, but checking it didn't seem to change the behavior.

Clicking the Not secure part of the address bar doesn't show anything as blocked or what is causing it to show as Not Secure.


I used a third party scanner to check the same url, which identified the xf_csrf as unsecure.

 

[HotRodCarts]

The Santa smilie in post #4 and the quote in post #5 in that thread is being served as http.

 

[buzzkc]

The Santa smilie in post #4 and the quote in post #5 in that thread is being served as http.

Ah, thank you, I'll review those. With the third party site showing it was xf-csrf I failed to even look for those.

 

[HotRodCarts]

No problem, you're welcome.