[#JOSSO-239] JOSSO Agent Session Cookies are not marked as 'secure' when using secure server connections - Atricore

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: JOSSO 1.8, JOSSO 1.8.1, JOSSO 1.8.2
Fix Version/s: JOSSO 1.8.3
Component/s: Alfresco Agent, JBoss 3.2 Agent, JBoss 4.0 Agent, JBoss 4.2 Agent, JBoss 5.0 Agent, JBoss 6.0 Agent, JBoss Portal Agent, Liferay Portal Agent, Tomcat 5.0 Agent, Tomcat 5.5 Agent, Tomcat 6.0 Agent, Weblogic 10 Agent, Weblogic 9.2 Agent, Websphere CE 2.1 Agent

Description:

Hide
I'm putting this issue in as a critical bug because I feel that it is relatively serious. The JOSSO SSO cookies created by HttpSSOAgent#newJossoCookie are not set to "secure" by default. This means that the cookie will be transported over ssl and non-ssl connections. The non-ssl transport is usually undesirable because it can be snooped. I've patched my JOSSO 1.7 org.josso.tc55.agent.SSOAgentValve like so:

457 cookie = _agent.newJossoCookie(request.getContextPath(), entry.ssoId);
458 if (request.isSecure()) cookie.setSecure(true);
459 hres.addCookie(cookie);

.. but I feel that the secure conditional check should probably be ported to the HttpSSOAgent#newJossoCookie method so it can apply to all Valves:

     public Cookie newJossoCookie(String path, String value, boolean secure) {

        // Some browsers don't like cookies without paths. This is useful for partner applications configured in the root context
        if (path == null || "".equals(path))
            path = "/";

        ssoCookie.setSecure(secure);

        Cookie ssoCookie = new Cookie(org.josso.gateway.Constants.JOSSO_SINGLE_SIGN_ON_COOKIE, value);
        ssoCookie.setMaxAge(-1);
        ssoCookie.setPath(path);

        // TODO : Check domain
        //ssoCookie.setDomain(cfg.getSessionTokenScope());

        return ssoCookie;
    }

Show
I'm putting this issue in as a critical bug because I feel that it is relatively serious. The JOSSO SSO cookies created by HttpSSOAgent#newJossoCookie are not set to "secure" by default. This means that the cookie will be transported over ssl and non-ssl connections. The non-ssl transport is usually undesirable because it can be snooped. I've patched my JOSSO 1.7 org.josso.tc55.agent.SSOAgentValve like so: 457 cookie = _agent.newJossoCookie(request.getContextPath(), entry.ssoId); 458 if (request.isSecure()) cookie.setSecure(true); 459 hres.addCookie(cookie); .. but I feel that the secure conditional check should probably be ported to the HttpSSOAgent#newJossoCookie method so it can apply to all Valves:      public Cookie newJossoCookie(String path, String value, boolean secure) {         // Some browsers don't like cookies without paths. This is useful for partner applications configured in the root context         if (path == null || "".equals(path))             path = "/";         ssoCookie.setSecure(secure);         Cookie ssoCookie = new Cookie(org.josso.gateway.Constants.JOSSO_SINGLE_SIGN_ON_COOKIE, value);         ssoCookie.setMaxAge(-1);         ssoCookie.setPath(path);         // TODO : Check domain         //ssoCookie.setDomain(cfg.getSessionTokenScope());         return ssoCookie;     }

Sub-Tasks

Progress:

All
Open

Create secure SSO Session cookies for secure requests in non-java agents

Closed

Dusan Fisic

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Jon French added a comment - 10/Sep/10 1:42 PM

I forgot to thank odds'n'sods for their helpful post related to this issue:
http://edeustace.wordpress.com/2010/07/09/adding-the-httponly-cookie-to-a-java-webapp-and-josso/

Show

Jon French added a comment - 10/Sep/10 1:42 PM I forgot to thank odds'n'sods for their helpful post related to this issue: http://edeustace.wordpress.com/2010/07/09/adding-the-httponly-cookie-to-a-java-webapp-and-josso/

Hide

Permalink

Sebastian Gonzalez Oyuela added a comment - 23/Sep/10 10:18 AM

JOSSO SSO Agent created cookies will honor the request secure state. You need to make sure to access the application using a secure connection.

Show

Sebastian Gonzalez Oyuela added a comment - 23/Sep/10 10:18 AM JOSSO SSO Agent created cookies will honor the request secure state. You need to make sure to access the application using a secure connection.

People

Assignee:

Sebastian Gonzalez Oyuela

Reporter:

Jon French
Votes:

0

Watchers:

0

Dates

Created:

10/Sep/10 1:40 PM

Updated:

12/Aug/11 7:34 AM

Resolved:

23/Sep/10 6:29 PM