CAS 4.1.x TGC cookie not set to HTTPOnly with Servlet 3 API

[Yan Zhou]

Hi there, 

I have a CAS 4.1.X overlay, servlet API version 3 in POM.xml, and CAS running on tomcat7. 

I observed that TGC cookie is set to Secure, but NOT httpOnly.  Tomcat7 default to HttpOnly for session cookie but it does not know about CAS TGC cookie, so the CAS web app's session cookie has HttpOnly set, but TGC cookie does not.

The source code in CookieRetrievingCookieGenerator.java shows, CAS would set to HttpOnly if  "RememberMe" is on.

Am I missing something, should not TGC cookie always have HttpOnly on all the times? This URL explains how to customize CAS to do that. But I am wondering why this would require customization. 

http://daodecode.com/2013/03/25/castgc-cookie-and-httponly-flag/

Thx!

Yan

    public void addCookie(final HttpServletRequest request, final HttpServletResponse response, final String cookieValue) {

        final String theCookieValue = this.casCookieValueManager.buildCookieValue(cookieValue, request);

        if (!StringUtils.hasText(request.getParameter(RememberMeCredential.REQUEST_PARAMETER_REMEMBER_ME))) {

            super.addCookie(response, theCookieValue);

        } else {

            final Cookie cookie = createCookie(theCookieValue);

            cookie.setMaxAge(this.rememberMeMaxAge);

            if (isCookieSecure()) {

                cookie.setSecure(true);

            }

            if (isCookieHttpOnly()) {

                final Method setHttpOnlyMethod = ReflectionUtils.findMethod(Cookie.class, "setHttpOnly", boolean.class);

                if(setHttpOnlyMethod != null) {

                    cookie.setHttpOnly(true);

                } else {

                    logger.debug("Cookie cannot be marked as HttpOnly; container is not using servlet 3.0.");

                }

            }

            response.addCookie(cookie);

        }

    }

[Yan Zhou]

I added httpOnly flag in the XML, that worked for me.    Does this solution sound right?

    <bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"

          c:casCookieValueManager-ref="cookieValueManager"

          p:cookieHttpOnly="true"  

[Alejandro Rodriguez]

Hi, I have the same question. My environment is CAS ovelay 5.0.3.1 with Tomcat 8.0 and java 1.8 and I do not understand how it is possible that the TGC cookie can not be officially configured as httponly. I have tested the embedded environment with the same result. I am doing something wrong?
From my humble opinion I understand it as a great security problem for a Single Sign ON. Someone could tell me if I'm right? Thank you so much.

[Misagh Moayyed]

 
 
> My environment is CAS ovelay 5.0.3.1 with Tomcat 8.0 and java 1.8 and I do not understand how it is possible that the TGC cookie can not be officially configured as httponly. I have tested the embedded environment with the same result. I am doing something wrong? 

No you’re not doing anything wrong. The httponly support went into CAS around the release of CAS 4, and at the time given backward compatibility concerns the flag was configured down at the XML level optionally, and CAS reflectively tried to decide if the container/spec has support for httpOnly and only set the flag if the condition held. Of course, this was documented somewhere

In 5, the setting (and the default value of ‘true’) for the flag were skipped for no good reason. You’re welcome to file an issue for this.

>
> From my humble opinion I understand it as a great security problem for a Single Sign ON. Someone could tell me if I'm right?

You’re certainly right; however note that the SSO cookie is both signed and encrypted whose value is in many ways tied to your deployment. Any tampering with the cookie would/should be rejected and attackers need to know the password pair to even begin the tampering. Unless you have turned those settings off, there is no security “problem"; just a small improvement to harden the configuration, for which you’re welcome to submit a request. 

[Alejandro Rodriguez]

Misagh, Thank you very much for the clarification, I will try to issue a problem as you advise me
although I never did. Again, thank you very much.

[Yan Zhou]

Hello, 

By default, TGC cookie does _not_ have HttpOnly.  If the app. (using CAS for authentication) has XSS vulnerability, someone could inject JS and read TGC cookie and submit to CAS server, even though it is encrypted and signed, CAS server will not know this TGC cookie is from an attacker.  Is that not an issue?

Granted, it maybe little an attacker could do, I guess he could request a service ticket for his app., now that he has TGC cookie?

Thx!

Yan

On Fri, Mar 31, 2017 at 2:25 AM, Alejandro Rodriguez <ale...@gmail.com> wrote:

Misagh, Thank you very much for the clarification, I will try to issue a problem as you advise me
although I never did. Again, thank you very much.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7513216f-2088-4c4e-b973-e385d37d99b7%40apereo.org.

[Alejandro Rodriguez]

Hello,

     I totally agree with you. I see it a problem, more so when applications are often developed with frameworks that have these basic bugs.
 I would suggest that CAS developers use information from the client's environment (eg source ip, browser type, etc.) that will associate TGT
 in some way, so that if an attacker does NOT have the same client environment, Cookie in your possession will not work. Although I also think
 that the attackers may try to replicate that environment to enter. A greeting.

Ale.