How to set Session Cookie to Application Folder
Service Studio Version
11.11.4 (Build 43812)

Hi All,


We would like to ask how can we setup the session cookie to the application folder and not in the root.

We need to acomplish this as per InfoSecurity review of the site.


How can we accomplish or implement the recommendation below

The risk here being if any of the other application on the server is compromised, setting the session cookie to root would lead to transmission of the session cookie beyond the information system. Hence, the path should be set to the application folder (e.g. /application/<application website>)and not root (/).


here is an attach sample module how can i create the session cookie to the asdf applicatino only at not in the root.

Thanks or can someone enlightment about this security review thing.

asdf.oap

mvp_badge
MVP

Hi d cabral,

In OutSystems, the session is shared between all OutSystems applications by design... namely the Single Sign-On mechanism relies on this as far as I know.

Can you provide us more context on the recommendation and if there are other applications in use on the OutSystems factory?

Hi Jorge,

about the more context on the recommendation that is the whole phrase our InfoSec said. Also for the other applications we only have 1 application.


Is this the information you need? 

mvp_badge
MVP

That doesn't really add much... but I brought this to the attention of the OutSystems team, hopefully they will be able to help you.

In the meantime, I did find this regarding your InfoSec concern... the post linked explains how it works for application cookies you set yourself, but the session cookie is managed by the platform itself.

We ask more information from InfoSec and here is what they told us.

<Our Application> utilizes a SHARED environment. What is meant by this: If utilized, the domain and path attribute must be set on all session cookies to prevent transmission beyond the required information systems"


btw, I checked the platform configuration tab at FactoryConfiguration I saw it has Secure Session Cookies.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.