Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • David Peck 690 posts 1896 karma points c-trib
    Sep 16, 2021 @ 11:47
    David Peck
    0

    How to set cookies cookies as Secure/HttpOnly/SameSite

    I'm asking and answering a question, in case anyone else experiences the same issue.

    After a security audit we needed to try to make cookies Secure, HttpOnly, and SameSite.

    Setting the AppSetting <add key="Umbraco.Core.UseHttps" value="true" /> might resolve the Secure issue, but our site runs as Http on IIS and the SSL is offloaded by the CDN.

    Copy Link
  • David Peck 690 posts 1896 karma points c-trib
    Sep 16, 2021 @ 11:49
    David Peck
    101

    I achieved this by:

      <system.webServer>
    <rewrite>      
      <outboundRules>
        <rule name="Set UMB_UPDCHK cookie flags">
          <match serverVariable="RESPONSE_Set_Cookie" pattern="UMB_UPDCHK=[^;\s]*" />
          <action type="Rewrite" value="{​​​​​​R:0}​​​​​​; Path=/; Secure; HttpOnly; SameSite=Strict" />
        </rule>
        <rule name="Set UMB_UCONTEXT_C cookie flags">
          <match serverVariable="RESPONSE_Set_Cookie" pattern="UMB_UCONTEXT_C=[^;\s]*" />
          <action type="Rewrite" value="{​​​​​​R:0}​​​​​​; Path=/; Secure; HttpOnly; SameSite=Strict" />
        </rule>
        <rule name="Set UMB_UCONTEXT cookie flags">
          <match serverVariable="RESPONSE_Set_Cookie" pattern="UMB_UCONTEXT=[^;\s]*" />
          <action type="Rewrite" value="{​​​​​​R:0}​​​​​​; Path=/; Secure; HttpOnly; SameSite=Strict" />
        </rule>
        <rule name="Set UMB-XSRF-V cookie flags">
          <match serverVariable="RESPONSE_Set_Cookie" pattern="UMB-XSRF-V=[^;\s]*" />
          <action type="Rewrite" value="{​​​​​​R:0}​​​​​​; Path=/; Secure; HttpOnly; SameSite=Strict" />
        </rule>

        <!-- Read from JavaScript, so no HttpOnly -->
        <rule name="Set UMB_PREVIEW cookie flags">
          <match serverVariable="RESPONSE_Set_Cookie" pattern="UMB_PREVIEW=[^;\s]*" />
          <action type="Rewrite" value="{​​​​​​R:0}​​​​​​; Path=/; Secure; SameSite=Strict" />
        </rule>
        <rule name="Set UMB-XSRF-TOKEN cookie flags">
          <match serverVariable="RESPONSE_Set_Cookie" pattern="UMB-XSRF-TOKEN=[^;\s]*" />
          <action type="Rewrite" value="{​​​​​​R:0}​​​​​​; Path=/; Secure; SameSite=Strict" />
        </rule>
        <!-- UMB_MCULTURE cookie is only ever set via JavaScript. Can't -->
      </outboundRules>

    </rewrite>
  </system.webServer>

    Now UMB_MCULTURE is only ever set and read by JavaScript. That means it is never in a HTTP response for me to modify. We'd need to create some JavaScript to update the cookie.

    Setting UMB-XSRF-TOKEN or UMB_PREVIEW to HttpOnly breaks the BackOffice because the value is used by JavaScript.

    Copy Link
  • Hubert 9 posts 39 karma points
    Mar 16, 2022 @ 15:10
    Hubert
    0

    This should be part of the official docs!

    Thank you, David!

    Copy Link

  • This forum is in read-only mode while we transition to the new forum.

    You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies