Cookie Prefixing

Owned by Scott Cantor
Last updated: Aug 17, 2023
2 min read

Overview

There are a number of non-standard-but-browsers-support-them hacks in existence to prevent various kinds of cookie spoofing attacks that arise because of the ability to scope cookies beyond just a host. They enable a server to limit itself to cookies that the browser will not allow to be scoped wider than a domain, and so cannot be set by a different host in the domain. This is likely to be the default in V5 for fresh installs, but requires some changes right now to enable.

The way this is done is by getting the relevant cookies' names to be prefixed by “__Host-” and to do this you MUST be using TLS and you MUST also adjust the cookie’s path to the server root (which may cause issues if you colocate the IdP with something else in the container, but you really shouldn’t do that anyway…)

Broadly, you have to deal with both the IdP’s own cookie(s) and the servlet container’s session cookie, and those are handled in different places, obviously.

Container Session Cookie

Using modern containers, it’s possible to override the name of the session cookie from JSESSIONID to __Host-JSESSIONID (or anything else with the prefix of course) and adjust the path. You will need to override the web.xml file (and the config is included in a commented section in the newer IdP releases also).

  1. If you haven't customized it already, copy dist/webapp/WEB-INF/web.xml into edit-webapp/WEB-INF/web.xml

  2. In the <session-config> element, override the name and path of the cookie as follows:

    <session-config> <session-timeout>15</session-timeout> <cookie-config> <!-- Uncomment to add __Host- protection. --> <name>__Host-JSESSIONID</name> <path>/</path> <secure>true</secure> <http-only>true</http-only> </cookie-config> <tracking-mode>COOKIE</tracking-mode> </session-config>

3. Rebuild the IdP’s war in the usual way and redeploy.

IdP Cookies

This is limited to V4.2+ of the software; the relevant properties are not supported on older versions.

The IdP’s own cookies are controlled with idp.properties. The primary issue here is the IdP’s session, obviously:

# Host-only cookies have to be global to the server, which is not the IdP default. idp.cookie.path = / # Name of cookie used for session idp.session.cookieName = __Host-shib_idp_session

If you use other IdP features, there are similar properties you will find in the documentation for adjusting those names as well, though the sensitivity of most all of them is probably not that high.

For example, if you use the Warning interceptor flow, its cookies to track warning frequency can also be adjusted:

idp.warning.notifyCookiePrefix = __Host-shib_idp_warn_

Ultimately the cookie names here don’t really matter once you override them, but the examples here match the original names in the software. It is ill-advised to ever allow anybody to depend on their names.