- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- Re: Not all Splunk cookies have the HttpOnly tag s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not all Splunk cookies have the HttpOnly tag set
In the web.conf file we have following positioned:
tools.sessions.httponly = True
tools.sessions.secure = True
In the server.conf we have:
allowCookieAuth = true
cookieAuthHttpOnly = true
cookieAuthSecure = true
When looking Chrome some cooking have the HttpOnly set others don't:
Name: cval
Domain: splunk-dev.be.intranet
Path: /en-GB/account/
Send for: Secure connections only
Accessible to script: Yes
Name: session_id_8000
Domain: splunk-dev.be.intranet
Path: /
Send for: Secure connections only
Accessible to script: No (HttpOnly)
Name: splunkd_8000
Domain: splunk-dev.be.intranet
Path: /
Send for: Secure connections only
Accessible to script: No (HttpOnly)
Name: splunkweb_csrf_token_8000
Domain: splunk-dev.be.intranet
Path: /
Send for: Secure connections only
Accessible to script: Yes
Name: splunkweb_uid
Domain: splunk-dev.be.intranet
Path: /en-GB/account
Send for: Secure connections only
Accessible to script: Yes
What needs to be done to enfore HttpOnly for all cookies
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Just wanted to check if there is already a way to enforce HTTPOnly directives to all cookies.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its true that Not all Splunk cookies have the HttpOnly tag set
Apply the below fix for default settings:
web.conf to see if tools.sessions.httponly is set to true
http://docs.splunk.com/Documentation/Splunk/7.0.3/Admin/Webconf
server.conf to see if cookieAuthHttpOnly is set to true
http://docs.splunk.com/Documentation/Splunk/7.0.3/Admin/Propsconf
However,
cval is cookie test that needs access from JS (can't be httpOnly)
csrf_token uses double submit pattern in JS (can't be httpOnly)
These are intentional cookie parameters and not security relevant issues.
They basically outline and explain that cookies are not related to any session or authentication settings and are needed to access from JavaScript,
so they cannot be ‘HttpOnly’. The httponly flag is a mechanism to disallow the use of these cookies from script elements;
however, these cookies are used by scripting elements, so setting them as httponly would break the web interface functionality.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you anaidu! I'm running into the same problem. Is there a list of all Splunk cookies that can't be HttpOnly? Is it manageable to try and exclude these using "Header edit Set-Cookie ^((?!EXCLUDED-COOKIES).*)$ $1;HttpOnly;Secure..." in httpd.conf? Or do they change too often?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't know if you've ever found solution to this issue, but I'm experiencing the exact same issue in version 7.0.1. I've not found any solution in Answers/Google so I've opened a case with Splunk. Will post solution here if/when Splunk provides one.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
