Answered How to set HttpOnly using set-cookie ?

[rherring]

Hi All,

A Progress k-base gives some information how to add HttpOnly to cookies.i but not much else. Has anyone done this before and had it work? It looks like I need to recompile webstart.p but Progress only provides webstart.r . Anyone make the modification to cookies.i and get it to work?

Regards,

Rich

 

[GregTomkins]

I didn't write this, but this is from our code where we set cookies. I guess we decided to bypass Progress' function altogether in this case, though we certainly use their functions elsewhere. p_options can be set to various values, including 'HttpOnly'.

/* Format the cookie */
ASSIGN v-cookie =
url-encode(p_name,"cookie":U)+"=":U +
url-encode(p_value,"cookie":U)+
(IF exp-date =""THEN""ELSE"~; expires=":U + exp-date)+
(IF p_path =""THEN""ELSE"~; path=":U + p_path)+
(IF p_domain =""THEN""ELSE"~; domain=":U + p_domain)+
(IF v-secure =""THEN""ELSE"~; secure":U).

/* just output additional options */
DO h_ct =1TONUM-ENTRIES( p_options ):
IF CAN-DO("secure,local,utc",ENTRY( h_ct, p_options ))
THEN NEXT.
v-cookie = v-cookie +"~; "+url-encode(ENTRY( h_ct, p_options ),"cookie":U).
END.

/* Send the cookie to the web browser */
output-http-header("Set-Cookie":U, v-cookie).

As an aside: I think cookies are kind of a crazy idea, due to CSRF issues and such, and for us at least, I just don't see any need for them (eg. they create problems without solving any). We still use them in one case but eventually we'll eliminate that as well.

 

[rherring]

Following K-base 000026689 (Greg hit it right on the head with his suggestion) and some additional instructions which were not in the k-base from Progress tech support(who investigated and provided more info), I was able to add HttpOnly (when set, disallows client side access to the cookie in question) to set-cookie command.

1) Modify set-cookie.i per the k-base
2) recompile web/objects/stateaware.p and web/objects/web-util.p
3) Move the 2 .r files to both %DLC%\tty\web\objects %DLC%\gui\web\objects.
4) Stop / start web broker

Normally, I wouldn't use a cookie, however we are retrofitting an older application that has the SID in the URL and using the cookie(secure, expires right away, httponly) as the SID and the old SID as a Canary value, it fixed a whole bunch of security concerns instead of going through each and every program to fix the URL/SID passing. We also added the x-frame-option and Javascript frame breaker code to address other issues as well. Anyway, any additional help on security would be welcome as I am not an expert in it by a long shot (OWASP gives me a migrane).

http://blogs.microsoft.com/cybertrust/2009/04/09/improving-security-with-url-rewriting/

Regards,

Rich