In the web.conf file we have following positioned:
tools.sessions.httponly = True
tools.sessions.secure = True
In the server.conf we have:
allowCookieAuth = true
cookieAuthHttpOnly = true
cookieAuthSecure = true
When looking Chrome some cooking have the HttpOnly set others don't:
Name: cval
Domain: splunk-dev.be.intranet
Path: /en-GB/account/
Send for: Secure connections only
Accessible to script: Yes
Name: session_id_8000
Domain: splunk-dev.be.intranet
Path: /
Send for: Secure connections only
Accessible to script: No (HttpOnly)
Name: splunkd_8000
Domain: splunk-dev.be.intranet
Path: /
Send for: Secure connections only
Accessible to script: No (HttpOnly)
Name: splunkweb_csrf_token_8000
Domain: splunk-dev.be.intranet
Path: /
Send for: Secure connections only
Accessible to script: Yes
Name: splunkweb_uid
Domain: splunk-dev.be.intranet
Path: /en-GB/account
Send for: Secure connections only
Accessible to script: Yes
What needs to be done to enfore HttpOnly for all cookies
Hi,
Just wanted to check if there is already a way to enforce HTTPOnly directives to all cookies.
Thanks
Its true that Not all Splunk cookies have the HttpOnly tag set
Apply the below fix for default settings:
web.conf to see if tools.sessions.httponly is set to true
http://docs.splunk.com/Documentation/Splunk/7.0.3/Admin/Webconf
server.conf to see if cookieAuthHttpOnly is set to true
http://docs.splunk.com/Documentation/Splunk/7.0.3/Admin/Propsconf
However,
cval is cookie test that needs access from JS (can't be httpOnly)
csrf_token uses double submit pattern in JS (can't be httpOnly)
These are intentional cookie parameters and not security relevant issues.
They basically outline and explain that cookies are not related to any session or authentication settings and are needed to access from JavaScript,
so they cannot be ‘HttpOnly’. The httponly flag is a mechanism to disallow the use of these cookies from script elements;
however, these cookies are used by scripting elements, so setting them as httponly would break the web interface functionality.
Thank you anaidu! I'm running into the same problem. Is there a list of all Splunk cookies that can't be HttpOnly? Is it manageable to try and exclude these using "Header edit Set-Cookie ^((?!EXCLUDED-COOKIES).*)$ $1;HttpOnly;Secure..." in httpd.conf? Or do they change too often?
Don't know if you've ever found solution to this issue, but I'm experiencing the exact same issue in version 7.0.1. I've not found any solution in Answers/Google so I've opened a case with Splunk. Will post solution here if/when Splunk provides one.