[OPT-3642] Secure cookie flag should always be added to the Optimize Auth cookie for https connections - camunda JIRA

XML

Word

Printable

Details

Type: Task
Status: Done
Priority: L3 - Default
Resolution: Done
Affects Version/s: None
Fix Version/s: 3.1.0
Component/s: backend
Labels:
None

Effort:
Not defined
Epic Link:
None

Description

Context:
With ~~OPT-1929~~, some CRSF protection has been implemented. However, the secure flag of the Optimize auth cookie is only added if the http endpoint is disabled. This is very counterintuitive. We should also set the secure flag for the https connection.

AT:

the is cookie secure flag is always set for the HTTPS Optimize endpoint
all the cookie flags that are tested for HTTP and HTTPS endpoint
the documentation is adjusted that it still recommends disabling HTTP but does not mention the cookie part any longer.

Hint:

currently we don't test that the cookie flags are set for the https endpoint
we should not set the cookie filter using the jetty filter feature but rather do it with the CookiePatternRule similar to how we've done it with the HeaderPatternRule in OPT-3248. So some clean up is necessary here.

mgm-controller-panel

This is the controller panel for Smart Panels app

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Johannes

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 11/May/20 8:57 AM

Updated:: 14/Jul/20 5:49 PM

Resolved:: 09/Jul/20 12:09 PM