[LP8.6/Apache/Win] Cookie Problem

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[LP8.6/Apache/Win] Cookie Problem

Jon Harris
Hi List

A scan of our clients site "revealed" some vulnerabilities around cookies.

It said we had:
"Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"
"Missing HttpOnly Flag From Cookie (http-cookie-http-only-flag)"

So, to turn this on, I did a couple of edits of the httpd.conf

I uncommented:
LoadModule headers_module modules/mod_headers.so

Then added the line:
Header set Set-Cookie HttpOnly;Secure

My login.lasso page, does an ajax call to a page which does this:

Session_Start(-Name = $site + 'user', -Expires=120, -UseCookie);
Session_AddVar(-Name=$site + 'user', 'sessionloginok');

On the callback page sessionloginok wasn't set.

When I removed the "Header set" -  it worked again.

Does anyone know why this is happening?

Regards
Jon Harris


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [LP8.6/Apache/Win] Cookie Problem

stevepiercy
Remove the header directive from Apache.

Instead add -secure to session_start.

session_start(-name=$cookie_name, -expires=$session_duration, -secure);

--steve


On 2/11/15 at 5:31 PM, [hidden email] (Jon Harris) pronounced:

> Hi List
>
> A scan of our clients site "revealed" some vulnerabilities around cookies.
>
> It said we had:
> "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"
> "Missing HttpOnly Flag From Cookie (http-cookie-http-only-flag)"
>
> So, to turn this on, I did a couple of edits of the httpd.conf
>
> I uncommented:
> LoadModule headers_module modules/mod_headers.so
>
> Then added the line:
> Header set Set-Cookie HttpOnly;Secure
>
> My login.lasso page, does an ajax call to a page which does this:
>
> Session_Start(-Name = $site + 'user', -Expires=120, -UseCookie);
> Session_AddVar(-Name=$site + 'user', 'sessionloginok');
>
> On the callback page sessionloginok wasn't set.
>
> When I removed the "Header set" -  it worked again.
>
> Does anyone know why this is happening?
>
> Regards
> Jon Harris
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [LP8.6/Apache/Win] Cookie Problem

Bil Corry-3
That won't add the HTTPOnly flag, which I don't think Lasso supports anyhow.

Apache can be used, I found this on StackExchange[1] and it looks right:

    Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"

- Bil

[1]
http://stackoverflow.com/questions/24129201/add-secure-and-httponly-flags-to-every-set-cookie-response-in-apache-httpd


On Wed, Feb 11, 2015 at 7:55 PM, Steve Piercy - Website Builder <
[hidden email]> wrote:

> Remove the header directive from Apache.
>
> Instead add -secure to session_start.
>
> session_start(-name=$cookie_name, -expires=$session_duration, -secure);
>
> --steve
>
>
> On 2/11/15 at 5:31 PM, [hidden email] (Jon Harris) pronounced:
>
> > Hi List
> >
> > A scan of our clients site "revealed" some vulnerabilities around
> cookies.
> >
> > It said we had:
> > "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"
> > "Missing HttpOnly Flag From Cookie (http-cookie-http-only-flag)"
> >
> > So, to turn this on, I did a couple of edits of the httpd.conf
> >
> > I uncommented:
> > LoadModule headers_module modules/mod_headers.so
> >
> > Then added the line:
> > Header set Set-Cookie HttpOnly;Secure
> >
> > My login.lasso page, does an ajax call to a page which does this:
> >
> > Session_Start(-Name = $site + 'user', -Expires=120, -UseCookie);
> > Session_AddVar(-Name=$site + 'user', 'sessionloginok');
> >
> > On the callback page sessionloginok wasn't set.
> >
> > When I removed the "Header set" -  it worked again.
> >
> > Does anyone know why this is happening?
> >
> > Regards
> > Jon Harris
> >
> >
> > #############################################################
> >
> > This message is sent to you because you are subscribed to
> >   the mailing list Lasso [hidden email]
> > Official list archives available at http://www.lassotalk.com
> > To unsubscribe, E-mail to: <[hidden email]>
> > Send administrative queries to  <[hidden email]>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy              Website Builder              Soquel, CA
> <[hidden email]>               <http://www.StevePiercy.com/>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [LP8.6/Apache/Win] Cookie Problem

Jolle Carlestam-2
In reply to this post by stevepiercy
That will only solve half the issue. Lasso lacks a flag for http-only. It has been reported as a bug/feature request but Lassosoft has given no response on if it will be implemented.

HDB
Jolle

Sent from a thin, flat, touchy device from an undetermined place in space.

> 11 feb 2015 kl. 19:55 skrev Steve Piercy - Website Builder <[hidden email]>:
>
> Remove the header directive from Apache.
>
> Instead add -secure to session_start.
>
> session_start(-name=$cookie_name, -expires=$session_duration, -secure);
>
> --steve
>
>
> On 2/11/15 at 5:31 PM, [hidden email] (Jon Harris) pronounced:
>
>> Hi List
>>
>> A scan of our clients site "revealed" some vulnerabilities around cookies.
>>
>> It said we had:
>> "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"
>> "Missing HttpOnly Flag From Cookie (http-cookie-http-only-flag)"
>>
>> So, to turn this on, I did a couple of edits of the httpd.conf
>>
>> I uncommented:
>> LoadModule headers_module modules/mod_headers.so
>>
>> Then added the line:
>> Header set Set-Cookie HttpOnly;Secure
>>
>> My login.lasso page, does an ajax call to a page which does this:
>>
>> Session_Start(-Name = $site + 'user', -Expires=120, -UseCookie);
>> Session_AddVar(-Name=$site + 'user', 'sessionloginok');
>>
>> On the callback page sessionloginok wasn't set.
>>
>> When I removed the "Header set" -  it worked again.
>>
>> Does anyone know why this is happening?
>>
>> Regards
>> Jon Harris
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>>  the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy              Website Builder              Soquel, CA
> <[hidden email]>               <http://www.StevePiercy.com/>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: [LP8.6/Apache/Win] Cookie Problem

Jon Harris
Hi Jolle/Paul/Steve

Thanks for your replies to my posting.

 I have removed the header directive. I think its unlikely LS will add features into 8 now, I'm pretty sure the focus will remain on 9.

I'll add the secure operator to my sessions and see what the next scan reveals. There were other (non-Lasso) items in the scan report, such as turning off SSLv3, TCP timestamps, and an insecure encryption method.

On top of this I managed to implement mod_security2 as I found a compiled .so version for the Apache we are running, hopefully this will take our score below the fail threshold.

Once again thanks for your responses.

Jon



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Jolle Carlestam
Sent: 11 February 2015 20:52
To: [hidden email]
Subject: Re: [LP8.6/Apache/Win] Cookie Problem

That will only solve half the issue. Lasso lacks a flag for http-only. It has been reported as a bug/feature request but Lassosoft has given no response on if it will be implemented.

HDB
Jolle

Sent from a thin, flat, touchy device from an undetermined place in space.

> 11 feb 2015 kl. 19:55 skrev Steve Piercy - Website Builder <[hidden email]>:
>
> Remove the header directive from Apache.
>
> Instead add -secure to session_start.
>
> session_start(-name=$cookie_name, -expires=$session_duration,
> -secure);
>
> --steve
>
>
> On 2/11/15 at 5:31 PM, [hidden email] (Jon Harris) pronounced:
>
>> Hi List
>>
>> A scan of our clients site "revealed" some vulnerabilities around cookies.
>>
>> It said we had:
>> "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"
>> "Missing HttpOnly Flag From Cookie (http-cookie-http-only-flag)"
>>
>> So, to turn this on, I did a couple of edits of the httpd.conf
>>
>> I uncommented:
>> LoadModule headers_module modules/mod_headers.so
>>
>> Then added the line:
>> Header set Set-Cookie HttpOnly;Secure
>>
>> My login.lasso page, does an ajax call to a page which does this:
>>
>> Session_Start(-Name = $site + 'user', -Expires=120, -UseCookie);
>> Session_AddVar(-Name=$site + 'user', 'sessionloginok');
>>
>> On the callback page sessionloginok wasn't set.
>>
>> When I removed the "Header set" -  it worked again.
>>
>> Does anyone know why this is happening?
>>
>> Regards
>> Jon Harris
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to  the
>> mailing list Lasso [hidden email] Official list archives
>> available at http://www.lassotalk.com To unsubscribe, E-mail to:
>> <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy              Website Builder              Soquel, CA
> <[hidden email]>               <http://www.StevePiercy.com/>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to  the mailing
> list Lasso [hidden email] Official list archives available
> at http://www.lassotalk.com To unsubscribe, E-mail to:
> <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email] Official list archives available at http://www.lassotalk.com To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: [LP8.6/Apache/Win] Cookie Problem

Jon Harris
Hi

According to the reference docs:

http://reference.lassosoft.com/

session_start does have the flags I need.

-Secure If set the session cookie will only be sent back to the Web server on requests for HTTPS secure Web pages.
-HttpOnly If set the session cookie will only be accessible by the server, and not by client scripts.

Which,  if they work is very good news.

I am adding this into the code now to see if it works.

Regards
Jon



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Jon Harris
Sent: 12 February 2015 08:02
To: [hidden email]
Subject: RE: [LP8.6/Apache/Win] Cookie Problem

Hi Jolle/Paul/Steve

Thanks for your replies to my posting.

 I have removed the header directive. I think its unlikely LS will add features into 8 now, I'm pretty sure the focus will remain on 9.

I'll add the secure operator to my sessions and see what the next scan reveals. There were other (non-Lasso) items in the scan report, such as turning off SSLv3, TCP timestamps, and an insecure encryption method.

On top of this I managed to implement mod_security2 as I found a compiled .so version for the Apache we are running, hopefully this will take our score below the fail threshold.

Once again thanks for your responses.

Jon



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Jolle Carlestam
Sent: 11 February 2015 20:52
To: [hidden email]
Subject: Re: [LP8.6/Apache/Win] Cookie Problem

That will only solve half the issue. Lasso lacks a flag for http-only. It has been reported as a bug/feature request but Lassosoft has given no response on if it will be implemented.

HDB
Jolle

Sent from a thin, flat, touchy device from an undetermined place in space.

> 11 feb 2015 kl. 19:55 skrev Steve Piercy - Website Builder <[hidden email]>:
>
> Remove the header directive from Apache.
>
> Instead add -secure to session_start.
>
> session_start(-name=$cookie_name, -expires=$session_duration,
> -secure);
>
> --steve
>
>
> On 2/11/15 at 5:31 PM, [hidden email] (Jon Harris) pronounced:
>
>> Hi List
>>
>> A scan of our clients site "revealed" some vulnerabilities around cookies.
>>
>> It said we had:
>> "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"
>> "Missing HttpOnly Flag From Cookie (http-cookie-http-only-flag)"
>>
>> So, to turn this on, I did a couple of edits of the httpd.conf
>>
>> I uncommented:
>> LoadModule headers_module modules/mod_headers.so
>>
>> Then added the line:
>> Header set Set-Cookie HttpOnly;Secure
>>
>> My login.lasso page, does an ajax call to a page which does this:
>>
>> Session_Start(-Name = $site + 'user', -Expires=120, -UseCookie);
>> Session_AddVar(-Name=$site + 'user', 'sessionloginok');
>>
>> On the callback page sessionloginok wasn't set.
>>
>> When I removed the "Header set" -  it worked again.
>>
>> Does anyone know why this is happening?
>>
>> Regards
>> Jon Harris
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to  the
>> mailing list Lasso [hidden email] Official list archives
>> available at http://www.lassotalk.com To unsubscribe, E-mail to:
>> <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy              Website Builder              Soquel, CA
> <[hidden email]>               <http://www.StevePiercy.com/>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to  the mailing
> list Lasso [hidden email] Official list archives available
> at http://www.lassotalk.com To unsubscribe, E-mail to:
> <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email] Official list archives available at http://www.lassotalk.com To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email] Official list archives available at http://www.lassotalk.com To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: [LP8.6/Apache/Win] Cookie Problem

stevepiercy
In reply to this post by Jon Harris
I misunderstood what you were trying to do at first, and zeroed
in on the -secure flag.

There are ways of making Lasso 8 and Apache work as you desire.  
Both can set headers.  Where to do so depends on the scope of
where you want to set headers.  If it's just a few pages and you
want to exclude other pages, then Lasso may be better.  If you
don't mind having it for the secure site, then putting it into
the VirtualHost container in Apache may be better.

Anyway, for Lasso 8, here's an example of setting headers that
you may find useful.

[
// Lasso 8 prepends the cookie name with "_SessionTracker_". Get
the cookie ID.
local('cookieid') = cookie('_SessionTracker_my_cookie_name');
// date gymnastics to calculate the cookie expiration offset and
convert to GMT format
local('gmt') = date;
// cookie expires in...
#gmt->add(-minute=60);
#gmt = date_localtogmt(#gmt);
#gmt->setformat('%a, %d-%b-%Y %T');
content_header = 'HTTP/1.1 200 OK\r\n';
content_header->append('Expires: -1\r\n');
content_header->append('CacheControl: no-cache\r\n');
content_header->append('MIME-Version: 1.0\r\n');
content_header->append('Set-Cookie:
_SessionTracker_my_cookie_name='+#cookieid+'; expires='+#gmt+';
path=/; secure\r\n');
]

If you think Apache is a better place to set the headers, then
go with Bil's advice.

As far as the other items, depending on your operating system,
and versions of Apache and openssl (or whatever you happen to
use for ssl), you may or may not have certain protocols and
ciphers available or supported.  If you are on CentOS 5 or 6
with the default Apache 2.2.x, the following is the set of
protocols and cipher suite that I ended up with after digging
around on SSL Labs[1].  Bil may have a better suggestion.

     SSLEngine on
     SSLProtocol all -SSLv2 -SSLv3
     SSLHonorCipherOrder On
     SSLCipherSuite RC4-SHA:HIGH:!ADH

It's suboptimal, but LassoSoft does not support Lasso 8 on
CentOS 7 where you could have a better cipher suite.

There's also a very helpful tool that will analyze your server
configuration for SSL/TLS and make recommendations.
https://www.ssllabs.com/ssltest/index.html

--steve

[1] Search the comments for "Apache 2.2".  The situation is not
good. https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy



On 2/12/15 at 8:01 AM, [hidden email] (Jon Harris) pronounced:

>Hi Jolle/Paul/Steve
>
>Thanks for your replies to my posting.
>
>I have removed the header directive. I think its unlikely LS
>will add features into 8 now, I'm pretty sure the focus will
>remain on 9.
>I'll add the secure operator to my sessions and see what the
>next scan reveals. There were other (non-Lasso) items in the
>scan report, such as turning off SSLv3, TCP timestamps, and an
>insecure encryption method.
>
>On top of this I managed to implement mod_security2 as I found
>a compiled .so version for the Apache we are running, hopefully
>this will take our score below the fail threshold.
>
>Once again thanks for your responses.
>
>Jon
>
>
>
>-----Original Message-----
>From: [hidden email]
>[mailto:[hidden email]] On Behalf Of Jolle Carlestam
>Sent: 11 February 2015 20:52
>To: [hidden email]
>Subject: Re: [LP8.6/Apache/Win] Cookie Problem
>
>That will only solve half the issue. Lasso lacks a flag for
>http-only. It has been reported as a bug/feature request but
>Lassosoft has given no response on if it will be implemented.
>
>HDB
>Jolle
>
>Sent from a thin, flat, touchy device from an undetermined place in space.
>
>>11 feb 2015 kl. 19:55 skrev Steve Piercy - Website Builder <[hidden email]>:
>>
>>Remove the header directive from Apache.
>>
>>Instead add -secure to session_start.
>>
>>session_start(-name=$cookie_name, -expires=$session_duration, -secure);
>>
>>--steve
>>
>>
>>On 2/11/15 at 5:31 PM, [hidden email] (Jon Harris) pronounced:
>>
>>> Hi List
>>>   A scan of our clients site "revealed" some vulnerabilities
>>>around cookies.
>>>   It said we had:
>>> "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"
>>> "Missing HttpOnly Flag From Cookie (http-cookie-http-only-flag)"
>>>   So, to turn this on, I did a couple of edits of the httpd.conf
>>>   I uncommented:
>>> LoadModule headers_module modules/mod_headers.so
>>>   Then added the line:
>>> Header set Set-Cookie HttpOnly;Secure
>>>   My login.lasso page, does an ajax call to a page which
>>>does this:
>>>   Session_Start(-Name = $site + 'user', -Expires=120,
>>>-UseCookie);  Session_AddVar(-Name=$site + 'user', 'sessionloginok');
>>>   On the callback page sessionloginok wasn't set.
>>>   When I removed the "Header set" -  it worked again.
>>>   Does anyone know why this is happening?
>>>   Regards
>>> Jon Harris
>>>    #############################################################
>>>   This message is sent to you because you are subscribed to  
>>>the  mailing list Lasso [hidden email] Official
>>>list archives  available at http://www.lassotalk.com To
>>>unsubscribe, E-mail to:  <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>>-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>>Steve Piercy              Website Builder              Soquel, CA
>><[hidden email]>               <http://www.StevePiercy.com/>
>>
>>
>>#############################################################
>>
>>This message is sent to you because you are subscribed to  the
>>mailing list Lasso [hidden email] Official list
>>archives available at http://www.lassotalk.com To unsubscribe,
>>E-mail to: <[hidden email]>
>>Send administrative queries to  <[hidden email]>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email] Official list
>archives available at http://www.lassotalk.com To unsubscribe,
>E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: [LP8.6/Apache/Win] Cookie Problem

stevepiercy
In reply to this post by Jon Harris
Huh, -HttpOnly didn't make it into the PDF version of the Lasso
8 docs.  No wonder I missed it!

--steve


On 2/12/15 at 8:37 AM, [hidden email] (Jon Harris) pronounced:

>Hi
>According to the reference docs:
>
>http://reference.lassosoft.com/
>
>session_start does have the flags I need.
>
>-Secure If set the session cookie will only be sent back to the
>Web server on requests for HTTPS secure Web pages. -HttpOnly If
>set the session cookie will only be accessible by the server,
>and not by client scripts.
>
>Which,  if they work is very good news.
>
>I am adding this into the code now to see if it works.
>
>Regards
>Jon
>
>
>
>-----Original Message-----
>From: [hidden email]
>[mailto:[hidden email]] On Behalf Of Jon Harris
>Sent: 12 February 2015 08:02
>To: [hidden email]
>Subject: RE: [LP8.6/Apache/Win] Cookie Problem
>
>Hi Jolle/Paul/Steve
>
>Thanks for your replies to my posting.
>
>I have removed the header directive. I think its unlikely LS
>will add features into 8 now, I'm pretty sure the focus will
>remain on 9.
>I'll add the secure operator to my sessions and see what the
>next scan reveals. There were other (non-Lasso) items in the
>scan report, such as turning off SSLv3, TCP timestamps, and an
>insecure encryption method.
>
>On top of this I managed to implement mod_security2 as I found
>a compiled .so version for the Apache we are running, hopefully
>this will take our score below the fail threshold.
>
>Once again thanks for your responses.
>
>Jon
>
>
>
>-----Original Message-----
>From: [hidden email]
>[mailto:[hidden email]] On Behalf Of Jolle Carlestam
>Sent: 11 February 2015 20:52
>To: [hidden email]
>Subject: Re: [LP8.6/Apache/Win] Cookie Problem
>
>That will only solve half the issue. Lasso lacks a flag for
>http-only. It has been reported as a bug/feature request but
>Lassosoft has given no response on if it will be implemented.
>
>HDB
>Jolle
>
>Sent from a thin, flat, touchy device from an undetermined place in space.
>
>>11 feb 2015 kl. 19:55 skrev Steve Piercy - Website Builder <[hidden email]>:
>>
>>Remove the header directive from Apache.
>>
>>Instead add -secure to session_start.
>>
>>session_start(-name=$cookie_name, -expires=$session_duration, -secure);
>>
>>--steve
>>
>>
>>On 2/11/15 at 5:31 PM, [hidden email] (Jon Harris) pronounced:
>>
>>> Hi List
>>>   A scan of our clients site "revealed" some vulnerabilities
>>>around cookies.
>>>   It said we had:
>>> "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"
>>> "Missing HttpOnly Flag From Cookie (http-cookie-http-only-flag)"
>>>   So, to turn this on, I did a couple of edits of the httpd.conf
>>>   I uncommented:
>>> LoadModule headers_module modules/mod_headers.so
>>>   Then added the line:
>>> Header set Set-Cookie HttpOnly;Secure
>>>   My login.lasso page, does an ajax call to a page which
>>>does this:
>>>   Session_Start(-Name = $site + 'user', -Expires=120,
>>>-UseCookie);  Session_AddVar(-Name=$site + 'user', 'sessionloginok');
>>>   On the callback page sessionloginok wasn't set.
>>>   When I removed the "Header set" -  it worked again.
>>>   Does anyone know why this is happening?
>>>   Regards
>>> Jon Harris
>>>    #############################################################
>>>   This message is sent to you because you are subscribed to  
>>>the  mailing list Lasso [hidden email] Official
>>>list archives  available at http://www.lassotalk.com To
>>>unsubscribe, E-mail to:
>>> <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>>-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>>Steve Piercy              Website Builder              Soquel, CA
>><[hidden email]>               <http://www.StevePiercy.com/>
>>
>>
>>#############################################################
>>
>>This message is sent to you because you are subscribed to  the
>>mailing list Lasso [hidden email] Official list
>>archives available at http://www.lassotalk.com To unsubscribe,
>>E-mail to:
>><[hidden email]>
>>Send administrative queries to  <[hidden email]>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email] Official list
>archives available at http://www.lassotalk.com To unsubscribe,
>E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email] Official list
>archives available at http://www.lassotalk.com To unsubscribe,
>E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [LP8.6/Apache/Win] Cookie Problem

Brad Lindsay
In reply to this post by Jolle Carlestam-2
Jolle,

While it looks like Lasso 9.2 doesn’t have the -HttpOnly option, it seems to have been added in 9.3.

Brad

On February 11, 2015 at 3:52:28 PM, Jolle Carlestam ([hidden email]) wrote:

> That will only solve half the issue. Lasso lacks a flag for http-only. It has been reported  
> as a bug/feature request but Lassosoft has given no response on if it will be implemented.  
>  
> HDB
> Jolle
>  
> Sent from a thin, flat, touchy device from an undetermined place in space.
>  
> > 11 feb 2015 kl. 19:55 skrev Steve Piercy - Website Builder :  
> >
> > Remove the header directive from Apache.
> >
> > Instead add -secure to session_start.
> >
> > session_start(-name=$cookie_name, -expires=$session_duration, -secure);
> >
> > --steve
> >
> >
> > On 2/11/15 at 5:31 PM, [hidden email] (Jon Harris) pronounced:
> >
> >> Hi List
> >>
> >> A scan of our clients site "revealed" some vulnerabilities around cookies.
> >>
> >> It said we had:
> >> "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"
> >> "Missing HttpOnly Flag From Cookie (http-cookie-http-only-flag)"
> >>
> >> So, to turn this on, I did a couple of edits of the httpd.conf
> >>
> >> I uncommented:
> >> LoadModule headers_module modules/mod_headers.so
> >>
> >> Then added the line:
> >> Header set Set-Cookie HttpOnly;Secure
> >>
> >> My login.lasso page, does an ajax call to a page which does this:
> >>
> >> Session_Start(-Name = $site + 'user', -Expires=120, -UseCookie);
> >> Session_AddVar(-Name=$site + 'user', 'sessionloginok');
> >>
> >> On the callback page sessionloginok wasn't set.
> >>
> >> When I removed the "Header set" - it worked again.
> >>
> >> Does anyone know why this is happening?
> >>
> >> Regards
> >> Jon Harris
> >>
> >>
> >> #############################################################
> >>
> >> This message is sent to you because you are subscribed to
> >> the mailing list Lasso [hidden email]
> >> Official list archives available at http://www.lassotalk.com
> >> To unsubscribe, E-mail to:  
> >> Send administrative queries to  
> >
> > -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> > Steve Piercy Website Builder Soquel, CA
> >  
> >
> >
> > #############################################################
> >
> > This message is sent to you because you are subscribed to
> > the mailing list Lasso [hidden email]
> > Official list archives available at http://www.lassotalk.com
> > To unsubscribe, E-mail to:  
> > Send administrative queries to  
>  
> #############################################################
>  
> This message is sent to you because you are subscribed to
> the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to:  
> Send administrative queries to  
>  


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [LP8.6/Apache/Win] Cookie Problem

Jolle Carlestam-2
12 feb 2015 kl. 15:18 skrev Brad Lindsay <[hidden email]>:

> While it looks like Lasso 9.2 doesn’t have the -HttpOnly option, it seems to have been added in 9.3.

Might be so, but I can see no evidence that it works. I tried adding it to my cookie settings but it does not show as HttpOnly in the browsers I test with.

Where did you see that it was added to 9.3?

HDB
Jolle

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [LP8.6/Apache/Win] Cookie Problem

Brad Lindsay
Jolle,

I ran [session_start(234)] and it errored that it couldn’t find the signature, and I saw it in the signature it suggested I use. I will test and see if it works for me.

Brad

On February 12, 2015 at 3:03:45 PM, Jolle Carlestam ([hidden email]) wrote:

> 12 feb 2015 kl. 15:18 skrev Brad Lindsay :
>  
> > While it looks like Lasso 9.2 doesn’t have the -HttpOnly option, it seems to have been  
> added in 9.3.
>  
> Might be so, but I can see no evidence that it works. I tried adding it to my cookie settings  
> but it does not show as HttpOnly in the browsers I test with.
>  
> Where did you see that it was added to 9.3?
>  
> HDB
> Jolle
>  
> #############################################################
>  
> This message is sent to you because you are subscribed to
> the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to:  
> Send administrative queries to  
>  


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [LP8.6/Apache/Win] Cookie Problem

Jolle Carlestam-2
12 feb 2015 kl. 22:19 skrev Brad Lindsay <[hidden email]>:

> I ran [session_start(234)] and it errored that it couldn’t find the signature, and I saw it in the signature it suggested I use. I will test and see if it works for me.
>
> Brad

Aha, but I don’t use the session tags, rolling my own session handling. I was referring to the cookie methods. But that was a good trick, runa a deliberate faulty call and see what it suggests.

Doing that
web_response -> setcookie(123)
I get this suggested syntax
web_response_impl->setCookie(nv::pair, -domain =?, -expires =?, -path =?, -secure =?)
Thus confirming that Lasso 9.3 cookies does not have HttpOnly support.

Given that I am a bit surprised that the session handling offers it. I would have assumed that session_start in turn would call setcookie.

Anyway, this is old news. I reported this and a related issue with cookie handling some time ago.
http://www.lassosoft.com/rhinotrac?id=7935
http://www.lassosoft.com/rhinotrac?id=7934

From the comments in those two reports it looks like the matter has been adressed, but possibly not distributed. There is also an interesting remark from Eric:
"I added this already for 8.6; shouldn't be hard.”
Indicating that 8.6 indeed has support for HttpOnly. Should be good news for Jon, since that was the original issue.

HDB
Jolle

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>