BenoitZugmeyer
commented
5 months ago Thank you for your feedback. We'll take this into consideration!
Open szalonna opened 5 months ago
BenoitZugmeyer
commented
5 months ago Thank you for your feedback. We'll take this into consideration!
keenan-v1
commented
4 months ago I'm including this from our security department:
Our PCI scanning vendor (Qualys) mark the session cookie as a medium priority finding as it is missing HTTPOnly and secure attribute. This is a client-side cookie for which these attributes cannot be set, since the Datadog tool needs to actually inspect the cookie. Further, the cookie does not contain any sensitive information related to payment cards which PCI is concerned about. For these reasons, this finding creates an unnecessary hurdle in allowing us to pass our scans, Right now the workaround to get the scan to pass is by providing an explanation to Qualys as to why they should ignore it. This is not ideal because this would need to be done on every scan and becomes a burden on us for no good reason. So the ideal solution would be for Datadog to use localstorage instead of using a cookie, as mentioned in this issue.
We would like to continue using DataDog's RUM product, so please advise on an ETA for this.
Thank you.
BMacLinden
commented
4 months ago +1 on this for same reasons above
alexeychikk
commented
6 days ago @BenoitZugmeyer Is there any way to disable datadog's cookie at all? I would like to use proxy so I do not need any cookies
Hello Datadog!
Currently RUM supports local storage as fallback session store when the client runs in an environment which does not meet the requirements for cookie handling and
allowFallbackToLocalStorageenabled.I would love to see an option where we can enforce local storage as session store independently if the platform is available to store a cookie or not.
Reason
Like mentioned in #590 and #1346 web application security reports mark the session cookie as a low priority finding as it is non-HTTP only. If we, as application developers, could enforce the storage strategy, we could address these findings not by just "ignoring" it. If the fallback strategy works as fine as the cookie one or if there are some known limitations between the two, we should be able to make this decision.
Possible implementation
InitConfigurationinterface with a new flag likeenforceToLocalStorageenforceToLocalStorageflag before check if platform is able to handle cookies