Cookies and jars or cookies in jars ?
I came across this interesting bit of ACE/IIB code on LinkedIn as an example of how set headers in a HttpResponse.
This is something that I haven't seen used in IIB development. IT is great, there is always something new to learn. So the article got me thinking about other things to consider when developing web services and web applications.?
One of the topics in developing web services and web applications that I have been reading about lately is cookie security.?
I found some good reading in the "Open Web Application Security Project" website (OWASP - I have used referred to their top 10 a number of times but I had to look up what OWASP actually stood for) around how cookies work, some best practices and threats you have be cognizant of. This article is mostly about the HttpOnly cookie and the secure cookie.
It got me interested in whether this was something that IIB could even do. I have written code in Java and C# to read and write cookies, but never ACE/IIB/WMB.
So after some trial and error I was able to use ESQL to respond to a Http request with a cookie (or many cookies with different settings).
The code in the end is pretty simple.
The first one is a "non-secure" cookie:
SET OutputRoot.HTTPResponseHeader."set-cookie"[1] = 'UnsecureCookie2=abc123; Expires=Thu, 31 Oct 2021 07:28:00 GMT;';
The second is "secure" for "httponly"?
SET OutputRoot.HTTPResponseHeader."set-cookie"[2] = 'SecureCookie3=abc1234; Expires=Thu, 31 Oct 2021 07:28:00 GMT; Secure; HttpOnly';
And the third has all the options.
SET OutputRoot.HTTPResponseHeader."set-cookie"[3] = 'PartiallySecureCookie8=abc1234; Domain=testdomain.com; Expires=Thu, 31 Nov 2021 07:28:00 GMT; HttpOnly; Secure; SameSite=Strict';
Now one question is, should we be using IIB in this way to respond to http requests ?
There are tools that can provide alternatives if a cookie is needed.
Infrastructure like Webseal can provide a "cookie jar". The idea is that your application sits behind a reverse proxy. And rather then sending all your cookies over http/https back to the client browser, Webseal replaces all the cookies that your application wants to share with the client with a single cookie that Webseal manages.
So your application behind the proxy can set cookies that it needs and the proxy will replace them with a single cookie that it sends to the client, and then when the client sends the next request, the?proxy will replace the cookie that the client sent through with the original cookies that the application setup.
领英推荐
That way there's no chance of leaking information in the client session as there is no information about the state of the application shared with the client.
Other IAM/Proxy setups allow for this. I mostly have experience with using it from Webseal, but I understand that NGINX, F5 and others support this. It's something that could be done in the "cloud" world in Kubernetes with a WAF (maybe an Istio side car ?).
So there are strategies for securing cookies beyond the application.?
Following the principle of "defense in depth", we will still look to cover our bases and we should secure our cookies at an application level if possible.
To help with applying this an an application level for ACE/WMB/IIB code, we have added two new rules to our MB-Precise product to help identify where cookies are being set in the ESQL code. These two new rules are:
and
So now our developers can identify where this could be an issue and then choose an appropriate strategy to protect our data and user interactions.
More information on our products and on pricing can be found on our website:
You can also reach me via email at:
Or contact me via the contact page on our website:
Regards
Richard