CLARITY: Enable Clarity to support both 'Secure' and 'http-only' session cookies.

Document ID : KB000020539
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

By default Clarity and Tomcat session cookies do not have 'secure' and or 'http-only' attributes configured. Clarity r13.1.x and greater now support 'secure' and/or http-only cookies, however addition configuration is required to enable both 'sessionID' and JSESSION cookies.

Note: You must have SSL enabled to leverage 'secure' cookies. Using a non-SSL URL will cause the session to timeout immediately.

Steps to Reproduce :

  1. Login to Clarity via a SSL enabled URL with browser tool enable like Firefox Firebug.

  2. Review the Cookie parameters from the Firebug Cookies tab.

Expected Result: Secure and http-only would be configured for both 'sessionID' and 'JSESSION' cookies.

Actual Result: Cookies are not 'secure' and 'http-only' is not set.

Technical Details:

JSESSION: Tomcat session management cookie.
sessionid: Clarity user session cookie.
Secure = true: Using the Secure option you can tell the browser (or other http clients) to only send the cookie over SSL connections.
Http-Only: is an option which specifies that the cookie (session identifiers included) should not be accessed from the application DOM.

Combining the Secure setting and http-only flag helps to introduce a more robust cookie that is less prone to attacks. Combined they allow the browser to restrict access to secure cookie data from scripts within the web browser. This limits the potential damage many cross site script attacks can cause - specifically, the attacks that target cookie data.

You should set this to Secure=true ONLY if you are only serving https content, for mixed content this setting in NOT supported. This isonly supported on r13.1.x or greater.

Solution:

Workaround:
Upgrade to Clarity r13.1.x or greater, enable Full SSL for Clarity and follow the configuration steps below.

Resolution:

Steps to enable Secure cookie and http-only on sessionid

  1. Edit the $CLARITY_HOME/config/properties.xml

  2. Append the attributes useHttpOnlySessionCookie="true" useSecureSessionCookie="true" to the end of <webServerInstance> where id="app" or whichever app instance you desire.

    • example:

      Figure 1

Steps to enable Secure and http-only on JSESSION

  1. For the JSESSION cookie. We need to add the below <cookie-config> elements to the../apache-tomcat-7.0.XX/conf/web.xml
      <session-config>      <session-timeout>30</session-timeout>      <cookie-config>                               <http-only>true</http-only>                               <secure>true</secure>       </cookie-config>   </session-config>

    • example:

      Figure 2

  2. Restart services on All Clarity application instances

  3. Retest Clarity login with Firebug

Keywords: CLARITYKB, http-only, Secure=ture, cookie, JSESSION, sessionid.