Session cookies are often seen as one of the biggest problems for security and privacy with HTTP, yet oftentimes, it’s necessary to utilize it to maintain state in modern web applications. By default, it is insecure and vulnerable to be intercepted by an authorized party. Cookies typically store session identifiers that may offer full access to an account, therefore if a cookie is intercepted, a session can be hijacked by someone who is not the real user but pretending as that user.
For this reason, it’s very important to set up the required settings to make cookies more secure and this can be achieved by paying attention to below two things :

1. HttpOnly Flag

The first flag we need to set up is the HttpOnly flag. By default, when there’s no restriction in place, cookies can be transferred not only by HTTP, but any JavaScript files loaded on a page can also access the cookies. This ability can be dangerous because it makes the page vulnerable to cross-site scripting (XSS) attack.
The only way to restrict this is by setting the HttpOnly flag, which means the only way cookies are sent is via an HTTP connection, not directly through other means (i.e., JavaScript).

2. Secure Flag

The second flag we need to pay attention to is the Secure flag. This flag highlights the second issue that by default cookies are always sent on both HTTP and HTTPS requests. A malicious attacker who can’t see encrypted traffic with HTTPS connection can easily switch to HTTP connection and access the same cookie because it is not encrypted. Therefore, we need to set the Secure flag to ensure that the cookie is encrypted when it’s created.

By right, those settings should be managed within the application code. However, due to developers’ unawareness, ITOPS may have to force the settings on the respective web servers by following one of below procedures.

Implementation Procedure in Apache

  • Ensure you have mod_headers.so enabled in Apache HTTP server
  • Add following entry in httpd.conf
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
  • Restart Apache HTTP server to test
Note: Header edit is not compatible with lower than Apache 2.2.4 version.
  • You can use the following to set the HttpOnly and Secure flag in lower than 2.2.4 version.
    Header set Set-Cookie HttpOnly;Secure;SameSite=None

Implementation Procedure in Tomcat

Implement HttpOnly & Secure flag in Tomcat 6.x

  • Log in to the server
  • Go to Tomcat installation path and then conf folder
  • Open context.xml using an editor and update Context section as below

    useHttpOnly="true"

Next, adding a secure flag.

  • Open server.xml and add below in Connector port section

    secure="true"
  • Restart Tomcat server to test the application

Implementing in Tomcat 7.x/8.x/9.x

  • Go to Tomcat >> conf folder
  • Open web.xml and add below in session-config section


<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>

  • Save the file and restart Tomcat to test it.

Implementation Procedure in IIS

Enable HttpOnly Flag in IIS

  • Edit the web.config file of your web application and add the following:
<system.web>
.....
<httpCookies httpOnlyCookies="true" requireSSL="true" />
...
</system.web>

Enable Secure Flag in IIS
To enable secure flag in IIS, it is better to use URL Rewrite and add the following to your web.config file:

<system.webServer>
<rewrite>
    <outboundRules>
      <clear />
      <rule name="Add SameSite" preCondition="No SameSite">
        <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
        <action type="Rewrite" value="{R:0}; SameSite=lax" />
      </rule>
      <preConditions>
        <preCondition name="No SameSite">
          <add input="{RESPONSE_Set_Cookie}" pattern="." />
          <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=lax" negate="true" />
        </preCondition>
      </preConditions>
    </outboundRules>
  </rewrite>
...
</system.webServer>

Implementation Procedure in Nginx

There are two possible ways to achieve this in Nginx web server.

  • By using “nginx_cookie_flag_module” Module

    An Nginx module called nginx_cookie_flag by Anton Saraykin let you quickly set cookie flag as HTTPOnly and Secure in Set-Cookie HTTP response header. One thing you got to keep in mind that you need to build Nginx from the source code by adding the module.
    Ex:
    --add-module=/path/to/nginx_cookie_flag_module

    Once Nginx is built with the above module, you can add the following line either in location or server directive in the respective configuration files.

    set_cookie_flag HttpOnly secure;

    Restart Nginx to verify the results
  • By using proxy_cookie_path
    Another alternative option is to add the below syntax in ssl.conf or default.conf

    proxy_cookie_path / "/; HTTPOnly; Secure;SameSite=none";

    Restart the Nginx to see the results.