Set Outsystems Cookies HTTPPOnly

Hi everyone,

I'm working a client that runs security tests on Outsystems pages and one of the warnings is that pageLoadedFromBrowserCache cookie should be HTTPOnly. There is a way to configure this on Lifetime?

Regards,

Marcelo

Hello Marcelo,


I believe that's an IIS configuration. [Additional link] [And another one]


If you have on-premises, you should be able to do it yourself. If not, I would advise contacting Support. Obviously, a better answer from more knowledgeable people may appear. :)


Cheers

Hi,

I need httpOnly cookies to. The strange thing is my own cookies are not HttpOnly and the cookies from OutSystems itself like osVisitor has HttpOnly set. How is this possible. This is the same IIS right?

Hey there,

I've published a new component that should allow you to create cookies as HttpOnly. It's in development phase, so please be aware - and report - any malfunctions!


Cheers!

Solution

Just a note since the initial answers pointed to settings that set all cookies as HttpOnly:

- You cannot set all cookies as HttpOnly.

Well, tecnically you can and it will stop complaining on your security scans ...but that doesn't mean that the applications will continue working as expected.

Some cookies are important to be accessible in javascript. The "pageLoadedFromBrowserCache" for example is one of those. In this documentation there are descriptions of each cookie purpose. Non security or sensitive cookies have no reason to be forced as HttpOnly.

Another good example is documented on the Mobile App Authentication pages. As you can see there one of the cookies is on purpose not set to HttpOnly since it is necessary to be accessible in javascript for the app to work.


So in summary: Decide for each cookie what is the desired purpose (needed in javascript or not), security relevance and if it contains sensitive information. Based on that set it HttpOnly.

Don't go blindly follow a security scan report and force everything on IIS / Proxy levels or apps will break.


Regards,

João Rosado

Solution

Hi João,

Thanks for the answer. That was exactly the answer I was looking for.

Regards,

Marcelo 

Hi,

But it's strange the standard SetCookie function does not have to ability to mark a cookie as httpOnly. You can only use it to set a cookie secure. 

Thanks Armando for the extention.

How can we ask to OutSystems to give the default SetCookie function to have the ability to mark a cookie as httpOnly?

Regards, 

Johan

Hi Johan,


The best if to add it as an Idea.

That way it gives awareness to the development teams on how much is the interest on the improvement and you get notified when the idea is implemented.


Regards,
João Rosado