Sunday, May 19, 2013

Secure Cookie

In Security Best Practices when deploying OpenAM, there is this 1-liner tip: "When using https use secure cookies ."

What exactly is "when using https"?

The documentation states the following:

Secure Cookie 
If yes, then OpenAM sets the cookie in secure mode such that the browser only returns the cookie if a secure protocol such as HTTPS is used. 
Default: No property:

To be more precise, assume a Web Policy Agent is installed on a Apache Server (HTTPS is not enabled) where a protected application is installed. And assume Secure Cookie is enabled on OpenAM server (web container is running HTTPS).

1. A user attempts to access the protected application (residing on Apache Server).
2. The access is "intercepted" by the Web Policy Agent.
3. There is no existing session found. The Web Policy Agent sends redirection to user's browser.
4. The user's browser is being redirected to OpenAM server for user authentication
5. User keys in valid user name and password.
6. OpenAM server now generates a cookie in secured mode. A "goto" redirection takes place.
7. The user's browser now contains the secure cookie sent from OpenAM server
8. Now, the user's browser is about to perform a redirection back to the protected application.
9. But, BOMB!


In secure cookie mode, the browser is instructed not to send the cookie to Apache server, since it is not running over HTTPS. You will only be able to use this setting if Apache server is also set up to use HTTPS.


In order to enable secure cookie, the OpenAM server has to be running on HTTPS protocol first. Then, the web containers of all protected applications have to be running on HTTPS protocol as well.

How often do you see this kind of deployment? Seldom.


No comments:

Post a Comment