Sign in Register
Go to solution
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • David Peck 690 posts 1896 karma points c-trib
    Sep 16, 2021 @ 11:47
    David Peck
    0

    How to set cookies cookies as Secure/HttpOnly/SameSite

    I'm asking and answering a question, in case anyone else experiences the same issue.

    After a security audit we needed to try to make cookies Secure, HttpOnly, and SameSite.

    Setting the AppSetting <add key="Umbraco.Core.UseHttps" value="true" /> might resolve the Secure issue, but our site runs as Http on IIS and the SSL is offloaded by the CDN.

    Copy Link
  • David Peck 690 posts 1896 karma points c-trib
    Sep 16, 2021 @ 11:49
    David Peck
    101

    I achieved this by:

      <system.webServer>
    <rewrite>      
      <outboundRules>
        <rule name="Set UMB_UPDCHK cookie flags">
          <match serverVariable="RESPONSE_Set_Cookie" pattern="UMB_UPDCHK=[^;\s]*" />
          <action type="Rewrite" value="{​​​​​​R:0}​​​​​​; Path=/; Secure; HttpOnly; SameSite=Strict" />
        </rule>
        <rule name="Set UMB_UCONTEXT_C cookie flags">
          <match serverVariable="RESPONSE_Set_Cookie" pattern="UMB_UCONTEXT_C=[^;\s]*" />
          <action type="Rewrite" value="{​​​​​​R:0}​​​​​​; Path=/; Secure; HttpOnly; SameSite=Strict" />
        </rule>
        <rule name="Set UMB_UCONTEXT cookie flags">
          <match serverVariable="RESPONSE_Set_Cookie" pattern="UMB_UCONTEXT=[^;\s]*" />
          <action type="Rewrite" value="{​​​​​​R:0}​​​​​​; Path=/; Secure; HttpOnly; SameSite=Strict" />
        </rule>
        <rule name="Set UMB-XSRF-V cookie flags">
          <match serverVariable="RESPONSE_Set_Cookie" pattern="UMB-XSRF-V=[^;\s]*" />
          <action type="Rewrite" value="{​​​​​​R:0}​​​​​​; Path=/; Secure; HttpOnly; SameSite=Strict" />
        </rule>

        <!-- Read from JavaScript, so no HttpOnly -->
        <rule name="Set UMB_PREVIEW cookie flags">
          <match serverVariable="RESPONSE_Set_Cookie" pattern="UMB_PREVIEW=[^;\s]*" />
          <action type="Rewrite" value="{​​​​​​R:0}​​​​​​; Path=/; Secure; SameSite=Strict" />
        </rule>
        <rule name="Set UMB-XSRF-TOKEN cookie flags">
          <match serverVariable="RESPONSE_Set_Cookie" pattern="UMB-XSRF-TOKEN=[^;\s]*" />
          <action type="Rewrite" value="{​​​​​​R:0}​​​​​​; Path=/; Secure; SameSite=Strict" />
        </rule>
        <!-- UMB_MCULTURE cookie is only ever set via JavaScript. Can't -->
      </outboundRules>

    </rewrite>
  </system.webServer>

    Now UMB_MCULTURE is only ever set and read by JavaScript. That means it is never in a HTTP response for me to modify. We'd need to create some JavaScript to update the cookie.

    Setting UMB-XSRF-TOKEN or UMB_PREVIEW to HttpOnly breaks the BackOffice because the value is used by JavaScript.

    Copy Link
  • Hubert 9 posts 39 karma points
    Mar 16, 2022 @ 15:10
    Hubert
    0

    This should be part of the official docs!

    Thank you, David!

    Copy Link
Please Sign in or register to post replies

Write your reply to:

Draft