ICEpush
  1. ICEpush
  2. PUSH-344

Add httpOnly and secure attributes to the ice.push.browser Cookie

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: EE-3.3.0.GA_P02, 4.0
    • Fix Version/s: EE-4.0.0.GA, EE-3.3.0.GA_P03, 4.1
    • Component/s: Push Library
    • Labels:
      None
    • Environment:
      All

      Description

      A security scan has flagged the ice.push.browser Cookie for noting having a secure and httpOnly attributes.

      Summary
      --------------------------------------------------------------------------------------------------------------------------
      Report Vulnerable - ice.push.browser Cookie has problem(s)
      Severity Low
      SmartAttack Cookie Vulnerabilities
      --------------------------------------------------------------------------------------------------------------------------
      Message
      --------------------------------------------------------------------------------------------------------------------------
      ice.push.browser Cookie has problem(s)

      ice.push.browser = hi2xevbo8;
      Host = cdm-test.kyisc.us.ams1907.com;
      Path = /
      1. Cookie does not have secure attribute.
      2. Cookie does not have HTTPOnly attribute.

        Activity

        Hide
        Mircea Toma added a comment -

        Made 'ice.push.browser' cookie secure and have HttpOnly access.

        Show
        Mircea Toma added a comment - Made 'ice.push.browser' cookie secure and have HttpOnly access.
        Hide
        Ken Fyten added a comment -

        Need to verify that this change doesn't have any negative impacts on jMeter or other load testing scripts that need to populate the cookie into synthetic HTTP requests.

        Show
        Ken Fyten added a comment - Need to verify that this change doesn't have any negative impacts on jMeter or other load testing scripts that need to populate the cookie into synthetic HTTP requests.
        Hide
        Arran Mccullough added a comment -

        Customer has asked if the following other cookies can have these changes made as well:
        • ice.connection.lease
        • ice.connection.running
        • ice.connection.contextpath
        • ice.pushids

        Show
        Arran Mccullough added a comment - Customer has asked if the following other cookies can have these changes made as well: • ice.connection.lease • ice.connection.running • ice.connection.contextpath • ice.pushids
        Hide
        Mircea Toma added a comment -

        The cookies mentioned above are not set by the server and thus they cannot receive the httpOnly attribute.

        Show
        Mircea Toma added a comment - The cookies mentioned above are not set by the server and thus they cannot receive the httpOnly attribute.
        Hide
        Lukasz Koniecki added a comment -

        This change was reverted by ICE-10352 changes. This was by mistake or on purpose?

        Show
        Lukasz Koniecki added a comment - This change was reverted by ICE-10352 changes. This was by mistake or on purpose?
        Hide
        Mircea Toma added a comment -

        It was on purpose. There are cases in ICEpush when ice.push.browser cookie is set from Javascript.

        Show
        Mircea Toma added a comment - It was on purpose. There are cases in ICEpush when ice.push.browser cookie is set from Javascript.

          People

          • Assignee:
            Mircea Toma
            Reporter:
            Arran Mccullough
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: