We found that the Authentication/session cookies did not have the Secure Flag attribute set in the Edge UI.
Impact: If secure flag is not set, a cookie is considered safe to be sent in the clear over unsecured channels; allowing an attacker the ability to capture and replay the cookie or hijack an active session.
Here are the Cookies where we don’t see Secure flag:
https:///
Set-Cookie: PLAY_SESSION=; Max-Age=0; Expires=Thu, 24 May 2018 21:27:33 GMT; Path=/platform
Set-Cookie: PLAY_FLASH=url=%2F; Path=/; HTTPOnly
Set-Cookie:
PLAY_SESSION=<token>csrfToken=<token>; MaxAge=86400;
Expires=Fri, 25 May 2018 21:27:33 GMT; Path=/; HTTPOnly</div>
Can you please let me know how to make the Authentication cookies secure ?
To set Secure flag for Authentication Cookies, we need to follow the below steps:
-
Open the /opt/apigee/customer/application/ui.properties file in an editor. If the file does not exist, create it.
-
Set the property session.secure to true in the /opt/apigee/customer/application/ui.properties file as shown below:
conf_application_session.secure=true
-
Save your changes.
-
Restart the Edge UI:
/opt/apigee/xapigee-service/bin/apigee-service edge-ui restart
Post this change, we could see that second PLAY_SESSION cookie had the Secure flag.
You can run the curl command to check the values of Cookies.
curl -i [https://<EdgeUI](https://<EdgeUI) URL>
Here’s some context on which information has to be secure:
The PLAY_SESSION can be of two types:
- One that contains the access and refresh tokens. This one should be Secure.
- There could be another PLAY_SESSION that is blank, with path /platform. Since it’s blank and does not contain any key/confidential information, it doesn’t need to be SECURE.
- Also, The PLAY_FLASH does not have auth related information, so it does not need to be secure.
1 Like