search

hugoloza / gwt-platform

Automatically exported from code.google.com/p/gwt-platform
0 stars 0 forks source link

Dispatcher complains about the JSESSIONID when httpOnly flag is set to true #446

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. bind your security cookie with your session cookie in Servlet module
and Client Module

// in servlet and client 
modules     bindConstant().annotatedWith(SecurityCookie.class).to("JSESSIONID");

// in client module only
ActionImpl.DEFAULT_SERVICE_NAME).with(DispatchServiceImpl.class);   

2. Create an action through dispatcher in your gwt module for performing some 
server side operations

What is the expected output? What do you see instead?

The should do the server side operations but it always returns the following 
message:

Get message "Cookie provided by RPC doesn't match request cookie, aborting 
action, possible XSRF attack. (Maybe you forgot to set the security cookie?) " 
in logs. Application is not working.

What version of the product are you using? On what operating system?
0.7 + Windows 7 64bit + IE9 + IE7 (compatibility view)

// successfull in this case, read the comments below
0.7 + Windows XP/7 64bit + IE8 + IE8 (compatibility view)

According to httpOnly documentation when the httpOnly flag is set in the header 
you won't be able to get the JSESSIONID because that's what it does to protect 
you from XSRF attacks.

When gwt dispatcher tries to execute an action, it checks 
com.google.gwt.user.client.Cookies - getCookie() whether the JSESSIONID 
variable is set in the document.cookie or not but as httpOnly attribute 
restricts the document.cookie to access the JSESSIONID, the map always doesn't 
have that value and throws the above exception.

I have also tried it with IE8 in compatibility and non-compatibility view as 
well and noticed when I set the httpOnly flag in the header it doesn't complain 
and execute the action successfully which is a bug in IE8 which is allowing 
JSESSIONID to be exposed through document.cookie object with the httpOnly flag 
set to true.

Now due to security audit we really can't remove the httpOnly from the headers 
as its a fail.

Any suggestions to get it right in the future ?

Original issue reported on code.google.com by luqmanah...@gmail.com on 7 Dec 2012 at 1:25