HTTP only cookies and Outsystems

Our server sets an http only cookie after users authenticate. When we make a REST request from our Outsystems mobile app, the cookie is not in the request. Should we expect to receive that cookie on every request, or is there a better to handle http only cookies?

Thanks

Hi Lorenzo,

This thread answers your question.

TL;DR: You shouldn't set all cookies as HTTPOnly. You decide for each cookie if it contains sensitive information or not, based on that set it to HttpOnly.

Read more about Cookie Usage

Regards,

Swatantra

Swatantra Kumar wrote:

Hi Lorenzo,

This thread answers your question.

TL;DR: You shouldn't set all cookies as HTTPOnly. You decide for each cookie if it contains sensitive information or not, based on that set it to HttpOnly.

Read more about Cookie Usage

Regards,

Swatantra

This is precisely what we do with the cookie. It does contain sensitive information, therefore http only. But back to my original question:

Does an Outsystems REST action send the httponly cookies?



Lorenzo Thurman wrote:

Swatantra Kumar wrote:

Hi Lorenzo,

This thread answers your question.

TL;DR: You shouldn't set all cookies as HTTPOnly. You decide for each cookie if it contains sensitive information or not, based on that set it to HttpOnly.

Read more about Cookie Usage

Regards,

Swatantra

This is precisely what we do with the cookie. It does contain sensitive information, therefore http only. But back to my original question:

Does an Outsystems REST action send the httponly cookies?



As pointed towards the above thread, it answers that "HTTPOnly setting is configured at IIS level". So, depends what the configuration is at your environment.

Lorenzo,

HTTPOnly setting is configured at IIS level. 

In OutSystems, either REST or SOAP or any other HTTPRequest relies on the HTTPRequestHandler extension to manipulate HTTP Requests and Responses. This extension uses System.Web.HttpCookie class to manipulate individual HTTP cookies unless explicitly defined.

You may use the extension HTTPCookie Monster to forcibly set the cookie as HTTP only. I am unsure but you may also try out  Service Center Factory Configuration application component as it provides interface to customize array of platform options.

---

Swatantra

Lorenzo Thurman wrote:

Our server sets an http only cookie after users authenticate. When we make a REST request from our Outsystems mobile app, the cookie is not in the request. Should we expect to receive that cookie on every request, or is there a better to handle http only cookies?

Thanks

Hi Lorenzo,

As per my understanding you need to handle yourself that cookie like mechanism in your each REST request call.
You can set some value when calling REST API and when again send request to same API you can check on API end the request is from the same user. like OAuth token will work.


Salman Ansari wrote:

Lorenzo Thurman wrote:

Our server sets an http only cookie after users authenticate. When we make a REST request from our Outsystems mobile app, the cookie is not in the request. Should we expect to receive that cookie on every request, or is there a better to handle http only cookies?

Thanks

Hi Lorenzo,

As per my understanding you need to handle yourself that cookie like mechanism in your each REST request call.
You can set some value when calling REST API and when again send request to same API you can check on API end the request is from the same user. like OAuth token will work.



Are you saying I have to create a custom header and include the cookie myself?

Swatantra Kumar wrote:

Lorenzo,

HTTPOnly setting is configured at IIS level. 

In OutSystems, either REST or SOAP or any other HTTPRequest relies on the HTTPRequestHandler extension to manipulate HTTP Requests and Responses. This extension uses System.Web.HttpCookie class to manipulate individual HTTP cookies unless explicitly defined.

You may use the extension HTTPCookie Monster to forcibly set the cookie as HTTP only. I am unsure but you may also try out  Service Center Factory Configuration application component as it provides interface to customize array of platform options.

---

Swatantra

I understand that httponly is configured in IIS. Let me try to bring some clarity to my question:

When a user logs in, our server (IIS) sets an httponly cookie on the client.

Every REST request from the client _should_ include this cookie, per the specification. 

The target api on our IIS server serves both our web application and our outsystems application. Every REST request from the web application includes the httponly cookies in the header. So again, when an Outsystems app makes a REST request to a server (IIS), does it include the httponly cookies as any browser like Chrome would do?

Lorenzo Thurman wrote:

Salman Ansari wrote:

Lorenzo Thurman wrote:

Our server sets an http only cookie after users authenticate. When we make a REST request from our Outsystems mobile app, the cookie is not in the request. Should we expect to receive that cookie on every request, or is there a better to handle http only cookies?

Thanks

Hi Lorenzo,

As per my understanding you need to handle yourself that cookie like mechanism in your each REST request call.
You can set some value when calling REST API and when again send request to same API you can check on API end the request is from the same user. like OAuth token will work.



Are you saying I have to create a custom header and include the cookie myself?

I this plugin in the Forge. Might this be the best way to manage httponly cookies?

https://www.outsystems.com/forge/component-overview/3319/cookiemanagerplugin