Hello, I know that there’s a setting for the .auth cookie to be secure, and it works. But how can I achieve this for the .sid cookie? (the session cookie as far as I understand) *My app is going through a security audit and I have to accomplish this in order to be able to deploy to production servers…
I’ve been trying under config.js, but I haven’t succeeded.
Hi, after adding lines 21-24 to config.js as shown on the screenshot and logging in (API action > Security provider: Security login), the server log in wappler shows the error.
Maybe it would be easier to dismiss what I’ve been trying. The main objective is to “get the .sid cookie secure variable = true.”
I tested it and the changes you made are correct, that should work. Make sure to delete the old session cookie so that it creates a new one.
The ERR_HTTP_HEADERS_SENT error is when node tries to set the headers after they were already send to the client. Not sure why you are getting that after setting the cookie options.
Hi, I’m going to deliver the app I’m working on and in a few days I’m going to set up a clean project to test this secure cookie changes and I’ll get back to you with the results.
It turns out the security audit was passed regardless of this ‘non-secure’ cookie.
The only thing that the secure flag does is that the cookie will only be accepted when the site is served over https. It does not make your cookie more secure. The only flag that I would always set with session and security cookies is the httpOnly flag, since it makes sure the cookies can’t be manipulated in the client browser.
My company hired a ethical hacker and one of the issue he pointed out is the cookies secure flag:
Any way to make it secure?
Description
The built.sid cookie, which is used for user authorization within the web
application, is missing the Secure flag. This flag is critical for ensuring that cookies
containing sensitive information, such as session identifiers, are only transmitted over HTTPS
connections. Without the Secure flag, the cookie could be transmitted over unencrypted
HTTP connections, exposing it to potential interception by attackers through Man-in-the-
Middle (MITM) attacks.
Impact
Man-in-the-Middle (MITM) Attacks: Attackers on the same network (such as public Wi-Fi)
can intercept cookies sent over HTTP, exposing sensitive user data to malicious actors.
Compliance Violations: For companies that must adhere to industry regulations (e.g.,
GDPR, PCI-DSS), failing to secure session cookies can result in non-compliance, potentially
leading to fines or legal consequences.
Remediation
Enable Secure Flag: Ensure that the Secure flag is set for all cookies containing sensitive
data, such as the built.sid cookie, to guarantee that they are only
transmitted over secure HTTPS connections. This can be achieved by configuring the
cookie with the Secure attribute in the backend server configuration.
Sorry but i don't understand what do you mean.
Is the cookie you are referring to the cookie created on login or some other cookie?
Did you enable the security provider Secure cookie option or not?
Yes, I set as secure in Wappler, this make the AppSecurity.auth set with Secure flag.
If you check the messages above, there is a session cookie (.sid) that wappler generates:
This one can't be set as secure within Wappler.
I noticed when changing the config.js, the .sid file is not created anymore.
Wappler is showing lots of CSP issues in routing, view, baseComponents and other files...
You guys need to check these issues... As products developed with Wappler gets bigger and investors, security proof are required to secure investments.