Need

Secure generation of cookies with the HttpOnly attribute

Context

• Usage of Dart 2.0 for building high-performance, cross-platform applications
• Usage of Shelf for managing and organizing data in a Node.js application

Description

Non compliant code

        import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  return shelf.Response.ok('Hello, World!')
      .change(headers: {
        'Set-Cookie': 'sessionId=38afes7a8; path=/; domain=.example.com'
      });
}
        
        

In the above code, a cookie named sessionId is being set without the HttpOnly attribute.

The HttpOnly attribute is a flag that can be included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This essentially makes the cookie inaccessible to client side scripting thus mitigating the risk of a client side script accessing a protected cookie and thus, also mitigating the risk of cross-site scripting attacks.

In the provided code, the sessionId cookie is generated without the HttpOnly flag, which means that it's accessible via client-side script. This is a security vulnerability as it exposes the session ID in the cookie to potential Cross-Site Scripting (XSS) attacks. An attacker can exploit this vulnerability to hijack the user's session, leading to potential unauthorized access to the system.

Steps

• Identify the part of the code where the cookie is being set.
• Add the 'HttpOnly' attribute to the 'Set-Cookie' header.
• Ensure that the 'HttpOnly' attribute is set to true. This will prevent the cookie from being accessed through client-side scripts.
• Test the application to ensure that the 'HttpOnly' attribute is being properly set and that the cookie cannot be accessed through client-side scripts.

Compliant code

        import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  return shelf.Response.ok('Hello, World!')
      .change(headers: {
        'Set-Cookie': 'sessionId=38afes7a8; HttpOnly; path=/; domain=.example.com'
      });
}
        
        

The original code was setting a cookie without the HttpOnly attribute. This attribute is important because it helps to mitigate the risk of cross-site scripting (XSS) attacks by preventing the cookie from being accessed via JavaScript.

In the fixed code, the HttpOnly attribute is added to the Set-Cookie header. This is done by simply appending HttpOnly; to the string that sets the cookie.

Now, the cookie sessionId is set with the HttpOnly attribute, which means it cannot be accessed through client-side scripts. This is a good practice to enhance the security of your application.

Remember to test your application after making this change to ensure that everything works as expected and the HttpOnly attribute is being properly set.

References

• 128. Insecurely generated cookies - HttpOnly