Looking at the spring-web source, I think we may have been beaten to it! PR...
https://github.com/spring-projects/spring-framework/commit/d05fc2ed9c722f1bfc9fd5009702b0ee3ce0c6ec ...respects the "Secure" and "HttpOnly" flags as described in this discussion. Versions 3.2.4.RELEASE and 4.1.8.RELEASE of spring-web have not received a back-port, so 4.2.0.RELEASE or newer is required to get the desired behaviour. On Wednesday, 21 October 2015 15:50:44 UTC+1, Aaron Grant wrote: > > I can confirm this as well, I happened to run a penetration test with > Netsparker on our version (CAS v4.0.x) yesterday and it flagged the same > issue. > > On Wed, Oct 21, 2015 at 6:06 AM, Jérôme LELEU <[email protected] > <javascript:>> wrote: > >> Thanks for the issue and keeping us posted... >> >> 2015-10-21 11:58 GMT+02:00 Andrew Scully <[email protected] >> <javascript:>>: >> >>> Raised a ticket: >>> https://github.com/Jasig/cas/issues/1230 >>> >>> Unfortunately my company requires CLAs before open source projects are >>> contributed to -- I've got the ball rolling. >>> >>> >>> On Tuesday, 20 October 2015 16:50:01 UTC+1, Jérôme LELEU wrote: >>>> >>>> Yes, first a Github issue to track the problem and then, if you can >>>> submit a PR, that's better. I don't think no CLA is blocking for a merge, >>>> for now, I tend to consider a pull request submission as an implicit of >>>> agreement of the CLA... >>>> >>>> 2015-10-20 17:38 GMT+02:00 Andrew Scully <[email protected]>: >>>> >>>>> OK that sounds sensible. >>>>> >>>>> I'm not CLA'd for Apereo although this is something I'm currently >>>>> looking into. >>>>> >>>>> I can raise an issue in the interim? >>>>> >>>>> >>>>> On Tuesday, 20 October 2015 15:17:12 UTC+1, Jérôme LELEU wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I don't see any security issue as the disclosed value is an blank >>>>>> one, though I admit it would be better to have these flags for removal >>>>>> as >>>>>> well as creation (consistency). >>>>>> >>>>>> I think it should be done at CAS level. It should not be too >>>>>> complicated. Would you mind submitting a pull request for that? >>>>>> >>>>>> Thanks. >>>>>> Best regards, >>>>>> Jérôme >>>>>> >>>>>> >>>>>> 2015-10-20 16:11 GMT+02:00 Andrew Scully <[email protected]>: >>>>>> >>>>>>> Something picked up on by our penetration testing team is that, >>>>>>> while the "HttpOnly" and "Secure" flags are present when setting the >>>>>>> CAS >>>>>>> cookies (e.g. CASTGC and CASPRIVACY), they are not present when the >>>>>>> cookie >>>>>>> is removed. >>>>>>> >>>>>>> (Note: You cannot literally "remove" a cookie, you do so by setting >>>>>>> it to an empty string) >>>>>>> >>>>>>> This gets flagged up by some pen testing tools (such as OWASP ZAP) >>>>>>> although, since the response cookie value is actually blank, no >>>>>>> sensitive >>>>>>> data can be disclosed to the client (in the case of HttpOnly) / >>>>>>> man-in-the-middle (int the case of Secure). >>>>>>> >>>>>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator doesn't >>>>>>> override #removeCookie() so the behavior from >>>>>>> org.springframework.web.util.CookieGenerator >>>>>>> is inherited, which doesn't respect the HttpOnly / Secure flags. >>>>>>> >>>>>>> >>>>>>> So obviously we can just override the cookie generator ourselves if >>>>>>> we want to change this, but I was wondering if anyone has an opinion to >>>>>>> offer on whether this should be done by CAS (or even Spring) instead? >>>>>>> >>>>>>> -- >>>>>>> You are currently subscribed to [email protected] as: >>>>>>> [email protected] >>>>>>> To unsubscribe, change settings or access archives, see >>>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-dev >>>>>>> >>>>>>> >>>>>> -- >>>>>> You are currently subscribed to [email protected] as: >>>>>> [email protected] >>>>>> To unsubscribe, change settings or access archives, see >>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-dev >>>>>> >>>>>> -- >>>>> You are currently subscribed to [email protected] as: >>>>> [email protected] >>>>> To unsubscribe, change settings or access archives, see >>>>> http://www.ja-sig.org/wiki/display/JSG/cas-dev >>>>> >>>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-dev >>>> >>>> -- >>> You are currently subscribed to [email protected] <javascript:> as: >>> [email protected] <javascript:> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-dev >>> >>> >> -- >> You are currently subscribed to [email protected] <javascript:> as: >> [email protected] <javascript:> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-dev >> >> > > > -- > Aaron Grant > Senior Applications Architect > Oakland University - UTS <http://oakland.edu/uts> > > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
