缺少Cookie中的安全属性：WL_PERSISTENT_COOKIE和testcookie [英] Missing Secure attributes in cookies: WL_PERSISTENT_COOKIE and testcookie

问题描述

在安全扫描结果中，我收到以下错误：

In a security scan result, I received the following error:

缺少加密会话（SSL）Cookie中的安全属性 WL_PERSISTENT_COOKIE和testcookie。

"Missing Secure Attribute in Encrypted Session (SSL) Cookie" for WL_PERSISTENT_COOKIE and testcookie.

我不知道如何设置这些cookie的安全属性，从websphere服务器它只允许我设置安全JSESSIONID cookie的属性，但不是其他cookie的属性。

I don't know how to set the secure attribute for these cookies, from the websphere server it just allows me to set the secure attribute for the JSESSIONID cookie but not for the others.

以下是我的appscan结果的结论：

Here are my conclusions from my appscan results:

• testcookie ：这个cookie似乎是在worklight.js文件中生成的。根据appscan，应用程序向服务器发送请求（ GET /ParkingApp/apps/services/preview/SmarterParking/common/0/default/worklight/worklight.js HTTP / 1.1 ）并且服务器使用此文件进行响应，该文件包含以下代码片段：

• testcookie: This cookie seems to be generated in the worklight.js file. According to the appscan, the application sends a request to the server (GET /ParkingApp/apps/services/preview/SmarterParking/common/0/default/worklight/worklight.js HTTP/1.1) and the server responds with this file, which has the following code fragment:

areCookiesEnabled : function() {
    var enabled = true;
    if (WL.EnvProfile.isEnabled(WL.EPField.WEB)) {
        var date = new Date();
        date.setTime(date.getTime() + (24 * 60 * 60 * 1000));
        document.cookie = "testcookie=oreo; expires=" + date.toGMTString() + "; path=/";
        var cookie = getCookie('testcookie');
        enabled = (cookie.value === 'oreo');
    }
    return enabled;
}

所以我理解cookie在此文件中设置为后续请求和回复交换testcookie。

So I understand that the cookie is set in this file as the subsequent requests and responses exchange the testcookie.

如何编辑此文件，因为它似乎是工作光中的预定义文件？编辑此文件以便我修改该行以包含安全属性是一个好习惯吗？

How can I edit this file as it seems a predefined file in worklight? Would it be a good practice to edit this file so that I modify that line to include the secure attribute?

• WL_PERSISTENT_COOKIE ：使用此cookie我有点困难，worklight服务器在请求中查找此cookie，如果找不到它，它会在set-cookie头中将其发送回客户端。实际上，这是我在安全扫描中看到的，但是服务器没有将此cookie设置为具有安全属性，并且我在websphere服务器设置中找不到该选项。如何设置持久性cookie以具有安全属性？

• WL_PERSISTENT_COOKIE: With this cookie I'm a little bit stuck, the worklight server looks for this cookie in the request and in case it is not found it sends it back to the client in a set-cookie header. Actually, this is what I'm seeing in the security scan, however the server doesn't set this cookie to have the secure attribute and I don't find the option in the websphere server settings. How could I set the persistent cookie to have the secure attribute?

非常感谢您提前！

推荐答案

简短的回答是，没有选项可以为这些cookie中的任何一个设置安全属性。这2个cookie不被视为敏感。但AppScan不知道这些是否是敏感的cookie，因此只报告没有安全的属性集。

The short answer is that there is no option to set the secure attribute for either of these cookies. These 2 cookies are not considered sensitive. But AppScan does not know if these are sensitive cookies or not and so just reports that there is no secure attribute set.

在testcookie的情况下，它仅用于客户端测试是否可以设置cookie。它根本不被服务器使用。

In the case of testcookie, it is only used by the client to test whether cookies can be set or not. It is not used by the server at all.

WL_PERSISTENT_COOKIE是一个随机生成的ID，用于在没有建立其他用户身份时将请求与用户身份相关联。它在内部用于表示匿名ID，用于跟踪/报告等目的。它不用于保护需要身份验证和授权的资源。因此，捕获WL_PERSISTENT_COOKIE令牌并从其他设备或其他会话使用它将不会授予任何额外或不同的权限。

The WL_PERSISTENT_COOKIE is a randomly generated ID to associate a request with a user identity when there is no other user identity established. It is used internally to represent an anonymous ID for purposes like tracking/reporting. It is not used for protecting resources that require authentication and authorization. So capturing a WL_PERSISTENT_COOKIE token and using it from another device or another session would not grant any additional or different privileges.

这篇关于缺少Cookie中的安全属性：WL_PERSISTENT_COOKIE和testcookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！