Hi isomorphic, We have a customer who complaints that the smartlcient cookie "GLog" is not enabled with HttpOnly and secure flags. So a client can read the value of these cookie. Please help us in resolving this issue.
-
-
That is correct. The client creates, reads and writes that cookie. It is used by the client logging system. -
If we set the attributes with HttpOnly and secure flags for the cookie "GLog" in server side, will any of the functionalities be broken in smartclient ? Because our customer wants to set those flags for all cookies in our application.Comment
-
If you are able to do that the client should be fine.Comment
-
How to create a Cookie in smartclient JS file with HttpOnly and secure attributes ?Comment
-
SmartClient does not provide client-side APIs to manipulate cookies. You can use direct browser APIs or core GWT APIs if you like.
Bear in mind this entirely task is useless. This cookie stores settings for the Developer Console. It has no security ramifications whatsoever, and only a developer would have it regardless. You are probably better off educating your customer rather than spending additional effort on modifying this cookie.Comment
-
Hi SmartClient, We are setting httponly and secured attributes for our application Cookie in javascript file.
var xCookie = new Cookie(document, "xyz", 0, null, null, true);
The last parameter true is for setting secured attribute true and it works fine. Similarly, is there any attribute for setting httpOnly attribute to true in this syntax ? Please clarify.
Comment
-
HttpOnly means a cookie is not accessible to JavaScript, so no, you cannot set a cookie to HttpOnly from JavaScript.Comment
-
Not also that since this cookie is manipulated by script (that's the point - it has log settings), this task is not only useless but will also just break your Developer Console.Comment
-
Hi SmartClient, what is the value stored in GLog ? Is it in plain text or is the text in encoded format ? If the text is in plain text, can you please encode the value stored in GLog cookie. Our customer is more worried about the security vulnerability.Comment
-
I verified our application, the cookie value stored in GLog is "%7B%0D%20%20%20%20trackRPC%3Afalse%0D%7D". This is not application specific data and it looks like used by smartclient UI. Will "GLog" cookie only store trackRPC parameter and its value ? When I enable the HttpOnly and Secured attributes for the cookie, I see that smartclient UI is not displayed properly.Comment
-
Again, the information stored in the GLog cookie is settings for use of the Developer Console. It has no security implications and no changes will be made in this area, because any such changes would be entirely useless.
Please educate your customer rather than asking for further useless changes.Comment
Comment