[TRANSLATE-2311] Cookie Security

Type: Bug
Resolution: Fixed
Fix Version/s: translate5 - 5.0.13, translate5 - 5.0.14, translate5 - 5.1.0
Affects Version/s: None
Component/s: Editor general

Urgency:
Medium
Important release notes:
Important for users which are using an own task administration: test if the integration works, if not the samesite cookie config in application.ini must be removed and this issue reopened!
ChangeLog Description:
Set the authentication cookie according to the latest security recommendations.
Checklist:

Empty

show more show less

Set the Cookie security in dependency of the ssl usage flag.

COOKIE: ZFEXTENDED

The cookie is missing Secure, ~~HttpOnly~~ and SameSite flag, make sure it does not store sensitive information.

The HttpOnly cookie can not be used by us, since we need JS access to the session cookie.

Thomas Lauria added a comment - 22/Dec/2020 04:08 - edited

SameSite with "strict" prevents OpenID connect from working and prevents authToken logins generated via SessionController (See TS-710) from a different domain opened with window.open().

SameSite with "Lax" allows authToken logins, but still prevents OpenID Connect.

SameSite with "None" allows all, but needs HTTPS.

Conclusion: We set the SameSite flag in dependency of the HTTPS state, and enable OpenID and authToken only if running with HTTPS.

Thomas Lauria added a comment - 22/Dec/2020 04:08 - edited SameSite with "strict" prevents OpenID connect from working and prevents authToken logins generated via SessionController (See TS-710) from a different domain opened with window.open(). SameSite with "Lax" allows authToken logins, but still prevents OpenID Connect. SameSite with "None" allows all, but needs HTTPS. Conclusion: We set the SameSite flag in dependency of the HTTPS state, and enable OpenID and authToken only if running with HTTPS.

Thomas Lauria added a comment - 09/Nov/2020 09:10

According to firefox:
Das Cookie "zfExtended" wird in Zukunft bald abgelehnt werden, da es für das Attribut "SameSite" entweder "None" oder einen ungültigen Wert angibt, ohne das "secure"-Attribut zu verwenden. Weitere Informationen zum "SameSite"-Attribut finden Sie unter https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite.

Thomas Lauria added a comment - 09/Nov/2020 09:10 According to firefox: Das Cookie "zfExtended" wird in Zukunft bald abgelehnt werden, da es für das Attribut "SameSite" entweder "None" oder einen ungültigen Wert angibt, ohne das "secure"-Attribut zu verwenden. Weitere Informationen zum "SameSite"-Attribut finden Sie unter https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite .

Assignee:: Thomas Lauria

Reporter:: Thomas Lauria

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 05/Nov/2020 12:13

Updated:: 23/Apr/2024 05:09

Resolved:: 14/Jan/2021 06:05

translate5

Details

Description

COOKIE: ZFEXTENDED

Attachments

Activity

Collapse comment: Thomas Lauria added a comment - 22/Dec/2020 04:08, Edited by Thomas Lauria - 18/Jan/2021 04:20

Expand comment: Thomas Lauria added a comment - 22/Dec/2020 04:08, Edited by Thomas Lauria - 18/Jan/2021 04:20

Collapse comment: Thomas Lauria added a comment - 09/Nov/2020 09:10

Expand comment: Thomas Lauria added a comment - 09/Nov/2020 09:10

People

Dates