Cookie Security: httponly not set on XSRF-TOKEN?
476 views
Skip to first unread message
Gary Whiteford
May 25, 2017, 5:40:25 PM5/25/17
to Shiny - Web Framework for R
We are security testing Shiny Server and our test app was identified as having a problem. The problem was identified as "Cookie Security: HTTP Only Not Set." Looking at the attack response (see reference below), it appears that there are two Set-Cookie statements. One does not have httponly set and one does.
I've Google'd this, but can't seem to find anything definitive (in addition to not understanding most of the technical details). Seems like it may have to do with XSRF-TOKEN needing to be able to be read by JavaScript?
I do find the reference to cookies in the RStudio (and Shiny) Security FAQ in regard to cookies:
Cookies:
RStudio Server Pro uses HTTP only cookies except for the CSRF cookie.
Questions:
- Does Shiny Server set httponly by default?
- Why is httponly not set for the XSRF-TOKEN cookie?
Thanks for any input.
Reference:
<Attack Response per our security test>
HTTP/1.1 302 Found
X-Powered-By: Express
Set-Cookie: XSRF-TOKEN=[someshorthash]; Path=/
Set-Cookie: session_state=[somereallylonghash]; path=/; expires=Thu, 11 May 2017 08:07:04 GMT; httponly
Location: /apps/[secureappname]/
Vary: Accept
Content-Type: text/html; charset=utf-8
Content-Length: 82
Date: Thu, 11 May 2017 06:07:10 GMT
Connection: keep-alive
Joe Cheng
May 26, 2017, 12:36:43 AM5/26/17
to Gary Whiteford, Shiny - Web Framework for R
XSRF-TOKEN cookies are specifically intended to be read by JavaScript, so to make them httpOnly would defeat the XSRF protection. See the "cookie-to-header token" section on this page: https://en.m.wikipedia.org/wiki/Cross-site_request_forgery
To be clear, this is not a security vulnerability, quite the opposite.
To be clear, this is not a security vulnerability, quite the opposite.
--
You received this message because you are subscribed to the Google Groups "Shiny - Web Framework for R" group.
To unsubscribe from this group and stop receiving emails from it, send an email to shiny-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/shiny-discuss/0e72a45e-97bc-4ece-bd0a-87d2cc346d04%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Gary Whiteford
May 26, 2017, 6:29:52 AM5/26/17
to Shiny - Web Framework for R, gar...@gmail.com
Excellent... thanks, Joe!
Reply all
Reply to author
Forward
0 new messages