Uploaded image for project: 'Camunda Optimize'
  1. Camunda Optimize
  2. OPT-3642

Secure cookie flag should always be added to the Optimize Auth cookie for https connections

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Done
    • Priority: L3 - Default
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 3.1.0
    • Component/s: backend
    • Labels:
      None
    • Epic Link:
    • Effort:
      Not defined

      Description

      Context:
      With OPT-1929, some CRSF protection has been implemented. However, the secure flag of the Optimize auth cookie is only added if the http endpoint is disabled. This is very counterintuitive. We should also set the secure flag for the https connection.

      AT:

      • the is cookie secure flag is always set for the HTTPS Optimize endpoint
      • all the cookie flags that are tested for HTTP and HTTPS endpoint
      • the documentation is adjusted that it still recommends disabling HTTP but does not mention the cookie part any longer.

      Hint:

      • currently we don't test that the cookie flags are set for the https endpoint
      • we should not set the cookie filter using the jetty filter feature but rather do it with the CookiePatternRule similar to how we've done it with the HeaderPatternRule in OPT-3248. So some clean up is necessary here.

        mgm-controller-panel

        This is the controller panel for Smart Panels app

          Attachments

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              johannes.heinemann Johannes Heinemann
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Salesforce