Login  
Search All Forums
Dart Home | PowerTCP WebServer for ActiveX | Custom Development Reply | PowerTCP WebServer for ActiveX Topics | Forums   
AuthorForum: PowerTCP WebServer for ActiveX
Topic: Secured DartSession Cookie
mjxnjx

From: sunnyvale, CA USA
Posts: 26
Member Since: 06/15/05
posted April 1, 2014 4:58 PM

Hello,

We recently failed a security audit in that the "DartSession" cookie is not listed as "secured" and "httpOnly". We are able to set these parameters for our own cookies. Could you provide sample code on how to set these security parameters for the DartSession cookie?
Nick B (Admin)

From: Utica, NY USA
Posts: 578
Member Since: 05/25/10

Extra Support Options
Custom Application Development

posted April 2, 2014 9:42 AM

Hello,

Setting Cookie.Secure will add 'secure' to the cookie. To specify any values not exposed by the Cookie object (such as httpOnly), use Cookie.All to specify the cookie's content.

------
-Non-current subscribers must contact sales@dart.com to update subscription and receive continued support as needed.
------

mjxnjx

From: sunnyvale, CA USA
Posts: 26
Member Since: 06/15/05
posted April 2, 2014 1:27 PM

Hello,

That works for any cookie we create, yes. But the "DartSession" cookie does not appear to be included in the Cookies object of the DartRequest class object. How do I access it?

MyWebServer::WebServer_Get(...params...)
{
  ...EditVariables and such...

  // Iterate through the cookies
  DartWebServer::ICookiesPtr Cookies;
  DartWebServer::ICookiePtr Cookie;
  Cookies = pDartRequest->Cookies;
  COleVariant ovIndex;
  ovIndex.ChangeType(VT_I4);

  for(int n = 1; n <= Cookies->Count; n++)
  {
   ovIndex.intVal = n;
   Cookie = Cookies->Item(ovIndex);
   CString sCookieName = (char *)Cookie->Name;
   CString sCookieValue = (char *)Cookie->Value;

   Log("COOKIE [" + sCookieName + "]: " + sCookieValue);
  }
}

The result shows all my software-defined cookies but not the built-in "DartSession" cookie that I appear to have no access to.
Nick B (Admin)

From: Utica, NY USA
Posts: 578
Member Since: 05/25/10

Extra Support Options
Custom Application Development

posted April 2, 2014 4:41 PM

I'm sorry, I didn't recognize that this wasn't for an arbitrary cookie. There is no programmatic control over its content, but it may be disabled by setting WebServer.PlaceCookies to false.

------
-Non-current subscribers must contact sales@dart.com to update subscription and receive continued support as needed.
------

mjxnjx

From: sunnyvale, CA USA
Posts: 26
Member Since: 06/15/05
posted April 2, 2014 6:52 PM

Ok, that eliminates the cookie and the problem, thanks! Is it safe to say the only loss by eliminating the cookie is that each and every request is now it's own unique session (since it doesn't keep the session info in a cookie now)?

It in future it would be good to have an option to just set the parameters for the hard-coded cookies (secure,httpOnly,path,etc).
Nick B (Admin)

From: Utica, NY USA
Posts: 578
Member Since: 05/25/10

Extra Support Options
Custom Application Development

posted April 3, 2014 9:29 AM

Yes. Please see the Session object help documentation for additional information.

I've entered your request as TTWeb5733. For information or updates on its status, or for priority support options, please contact sales@dart.com.

------
-Non-current subscribers must contact sales@dart.com to update subscription and receive continued support as needed.
------

Reply | PowerTCP WebServer for ActiveX Topics | Forums   
This site is powered by PowerTCP WebServer Tool PowerTCP WebServer for ActiveX