Uploaded image for project: 'Camunda Optimize'
  1. Camunda Optimize
  2. OPT-3642

Secure cookie flag should always be added to the Optimize Auth cookie for https connections

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • L3 - Default
    • 3.1.0
    • None
    • backend
    • None
    • Not defined

    Description

      Context:
      With OPT-1929, some CRSF protection has been implemented. However, the secure flag of the Optimize auth cookie is only added if the http endpoint is disabled. This is very counterintuitive. We should also set the secure flag for the https connection.

      AT:

      • the is cookie secure flag is always set for the HTTPS Optimize endpoint
      • all the cookie flags that are tested for HTTP and HTTPS endpoint
      • the documentation is adjusted that it still recommends disabling HTTP but does not mention the cookie part any longer.

      Hint:

      • currently we don't test that the cookie flags are set for the https endpoint
      • we should not set the cookie filter using the jetty filter feature but rather do it with the CookiePatternRule similar to how we've done it with the HeaderPatternRule in OPT-3248. So some clean up is necessary here.

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Activity

            People

              Unassigned Unassigned
              johannes.heinemann Johannes
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Salesforce