Secure Flag is not set on the Liberty WASOIDCCode Cookie

Question

Secure Flag is not set on the Liberty WASOIDCCode Cookie

Closed this issue 5 years ago · 2 comments

We got a low security finding during our application's pentest where it was pointed out that WasOICDCode along with other cookies set by OpenIDconnect does not have secure flag set.

On searching i found that there was an issue for WASOidcCode cookie and it is fixed in liberty 17.*
as mentioned in the below link
https://www-01.ibm.com/support/docview.wss?uid=swg1PI94351

We tried to set httpsRequired flag but even with that cookie's secure flag was not set.

server.xml and snapshot of cookies attahced.

testserver.txt

Answer 1 · 2019-09-17T19:45:05.000Z

Note that in the above screenshot, the cookie is being cleared (by setting expires to 1994). It's not necessary to use the secure flag when clearing a cookie. I tested on 19006 and when the cookie is set, the secure flag is used.

The only cookie that I could spot being set without the secure flag is the was_p(nnnnn) cookie, that one is set by the oidc server and can be flipped to secure by adding <webAppSecurity ssoRequiresSSL="true"/> to server.xml of the server.

Answer 2 · 2019-09-18T09:52:45.000Z

@brutif Thanks for the explanation and setting. I verified and it is working as expected.
Closing the task.