How to apply httponly flag to specific cookie in PASOE

Posted by Roel de Wildt on 06-Feb-2017 15:16

Hello,

I'm trying to make a test project and have the problem that I can not find the way to apply the httponly flag to a custom session cookie. Has anyone done this before in PASOE?

All Replies

Posted by Peter Judge on 07-Feb-2017 10:12

Is this for cookies you want to return yourself in ABL? Or from the Tomcat server?

Posted by Roel de Wildt on 07-Feb-2017 12:23

It is from the ABL where a output parameter is mapped to a custom "session" cookie and I want to apply the httponly flag to it.

Posted by Peter Judge on 07-Feb-2017 12:28

I’m not sure that’s possible.
 
Depending on OE version you can do this in PASOE with the WEB transport (11.6.0+) where the ABL has full control over cookies, headers etc.

Posted by Roel de Wildt on 07-Feb-2017 13:35

I'm currently using OE 11.6.3. I have not seen a option for the REST transport to apply the httponly flag. Security scanners shows a alert if they detect a "session" cookie without the httponly flag. So every transport method should be able to apply e.g. the httponly flag to a cookie.

If only the WEB transport is able to take control over the cookie flags, it is security wise (reading cookie information from javascript) not usable to use the REST or SOAP transport. See RFC6265 ( tools.ietf.org/.../rfc6265 ) for more information about cookie flags.

Could this be a good candidate for the ideas section? If it isn't possible with the REST or SOAP transport.

Posted by Peter Judge on 07-Feb-2017 14:46

I’d say that you can contact Tech Support and ask about that …. You can make an argument that you should be able to set the cookie’s flags.

Posted by Roel de Wildt on 08-Feb-2017 01:35

I've created a support case for the issue with the cookie flags.

Posted by Roel de Wildt on 08-Mar-2017 05:03

I have created an idea in the idea section for it:

community.progress.com/.../option_to_set_the_cookie_flags_in_pasoe_for_rest

This thread is closed