OWASP - User contributions [en]

SecureFlag

2013-01-09T20:13:05Z

Gladwin:

{{Stub}}

= Overview =

The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text. 

To accomplish this goal, browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page. Said in another way, the browser will not send a cookie with the secure flag set over an unencrypted HTTP request. 

By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel. 

= Setting the Secure Flag =

Following sections describes setting the Secure Flag in respective technologies.

== Java ==

=== Servlet 3.0 (Java EE 6) ===
Sun Java EE supports secure flag in Cookie interface since version 6 (Servlet class version 3)[http://java.sun.com/javaee/6/docs/api/javax/servlet/http/Cookie.html#setSecure%28boolean%29], also for session cookies (JSESSIONID)[http://java.sun.com/javaee/6/docs/api/javax/servlet/SessionCookieConfig.html#setSecure%28boolean%29]. Methods ''setSecure'' and ''isSecure'' can be used to set and check for secure value in cookies.

==== web.xml ====
Servlet 3.0 (Java EE 6) introduced a standard way to configure secure attribute for the session cookie, this can be done by applying the following configuration in web.xml
<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
<session-config>

=== Tomcat ===
In '''Tomcat 6''' if the first request for session is using ''https'' then it automatically sets secure attribute on session cookie.

=== Setting it as a custom header ===
For '''older versions''' the workaround is to rewrite JSESSIONID value using and setting it as a custom header. The drawback is that servers can be configured to use a different session identifier than JSESSIONID.

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure");

=== Environment consideration ===

With this flag always set, sessions won't work in environments(development/test/etc.) that may use http. SessionCookieConfig [http://java.sun.com/javaee/6/docs/api/javax/servlet/SessionCookieConfig.html#setSecure%28boolean%29] interface or setting custom header[https://www.owasp.org/index.php/SecureFlag#Setting_it_as_a_custom_header] trick can be leveraged to configure setting of this flag differently for each environment and can be driven by application configuration.

== ASP.NET ==

<httpCookies requireSSL="true" />

= Testing for the Secure Flag =

= Related Articles =

[http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002) Testing for Cookie Attributes] 
http://www.troyhunt.com/2011/11/owasp-top-10-for-net-developers-part-9.html

SecureFlag

2013-01-09T20:12:30Z

Gladwin: Java - Environment consideration

SecureFlag

2013-01-09T19:54:27Z

Gladwin: Added section for Java

{{Stub}}

= Overview =

The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text. 

To accomplish this goal, browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page. Said in another way, the browser will not send a cookie with the secure flag set over an unencrypted HTTP request. 

By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel. 

= Setting the Secure Flag =

Following sections describes setting the Secure Flag in respective technologies.

== Java ==

=== Servlet 3.0 (Java EE 6) ===
Sun Java EE supports secure flag in Cookie interface since version 6 (Servlet class version 3)[http://java.sun.com/javaee/6/docs/api/javax/servlet/http/Cookie.html#setSecure%28boolean%29], also for session cookies (JSESSIONID)[http://java.sun.com/javaee/6/docs/api/javax/servlet/SessionCookieConfig.html#setSecure%28boolean%29]. Methods ''setSecure'' and ''isSecure'' can be used to set and check for secure value in cookies.

==== web.xml ====
Servlet 3.0 (Java EE 6) introduced a standard way to configure secure attribute for the session cookie, this can be done by applying the following configuration in web.xml
<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
<session-config>

=== Tomcat ===
In '''Tomcat 6''' if the first request for session is using ''https'' then it automatically sets secure attribute on session cookie.

=== Setting it as a custom header ===
For '''older versions''' the workaround is to rewrite JSESSIONID value using and setting it as a custom header.

Advantage of using custom rewrite trick is that we can configure it differently for each environment driven by application configuration as most local development or test environments may use ''http''.

The drawback is that servers can be configured to use a different session identifier than JSESSIONID. It will be best if configuring this attribute could be a feature supported by Servlet containers.

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure");

== ASP.NET ==

<httpCookies requireSSL="true" />

= Testing for the Secure Flag =

= Related Articles =

[http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002) Testing for Cookie Attributes] 
http://www.troyhunt.com/2011/11/owasp-top-10-for-net-developers-part-9.html

SecureFlag

2013-01-09T19:10:10Z

Gladwin: Made ASP.NET as sub section of Setting the Secure Flag