Question posted in
Some documentation to get you started can be found here.

Session issue when Set-Cookie has HttpOnly & Secure – Apache

Assume user is already logged into system. User performed the some activity and based on that they receive one email. Email has one link, if user clicks that they will be redirected to appropriate screen.
But due to some reason when user try the hyperlink they logged out from system and have to login again.

After debugging it turns out that we have below rule in apache conf file.

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=strict

After removing above line everything works as expected.

So i am trying to find out the reason behind it (i.e. why session issue occurs if above rule is in place). Also how i should add that rule without impacting session because http only & secure cookie is required as per security guide line.

Tags:

2

Answers


  1. 0

    I had the same issue and use following code.

    Note: Content-Security-Policy is to filter what type of data server should be allow to access and you can remove that line if you want.

    #fixing vulnerability issues
TraceEnable Off
Header set X-Frame-Options SAMEORIGIN
Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always edit Set-Cookie (.*) "$1; Secure"
Header set Content-Security-Policy "frame-ancestors 'none'; default-src 'self' http://onecrm; script-src 'unsafe-inline' 'unsafe-eval' *; connect-src *; img-src data: *; style-src 'unsafe-inline' *;"

    More reading: Set-Cookie, Cookies for dummies, SameSite cookie attribute

    Login or Signup to reply.
  2. 0

    You need to change SameSite=strict to SameSite=lax (or just remove it, since lax is default value)

    The strict value will prevent the cookie from being sent by the
    browser to the target site in all cross-site browsing context, even
    when following a regular link.

    The default lax value provides a reasonable balance between security
    and usability for websites that want to maintain user’s logged-in
    session after the user arrives from an external link.

    https://www.owasp.org/index.php/SameSite

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search