| Dart Home | PowerTCP WebServer for ActiveX | Custom Development | Reply | PowerTCP WebServer for ActiveX Topics | Forums |
| Author | Forum: PowerTCP WebServer for ActiveX Topic: Secured DartSession Cookie |
| mjxnjx From: sunnyvale, CA USA Posts: 26 Member Since: 06/15/05 |
posted April 1, 2014 4:58 PM Hello, We recently failed a security audit in that the "DartSession" cookie is not listed as "secured" and "httpOnly". We are able to set these parameters for our own cookies. Could you provide sample code on how to set these security parameters for the DartSession cookie? |
| Nick B (Admin) From: Utica, NY USA Posts: 619 Member Since: 05/25/10 Extra Support Options Custom Application Development |
posted April 2, 2014 9:42 AM Hello, Setting Cookie.Secure will add 'secure' to the cookie. To specify any values not exposed by the Cookie object (such as httpOnly), use Cookie.All to specify the cookie's content. ------ |
| mjxnjx From: sunnyvale, CA USA Posts: 26 Member Since: 06/15/05 |
posted April 2, 2014 1:27 PM Hello, That works for any cookie we create, yes. But the "DartSession" cookie does not appear to be included in the Cookies object of the DartRequest class object. How do I access it? MyWebServer::WebServer_Get(...params...) { ...EditVariables and such... // Iterate through the cookies DartWebServer::ICookiesPtr Cookies; DartWebServer::ICookiePtr Cookie; Cookies = pDartRequest->Cookies; COleVariant ovIndex; ovIndex.ChangeType(VT_I4); for(int n = 1; n <= Cookies->Count; n++) { ovIndex.intVal = n; Cookie = Cookies->Item(ovIndex); CString sCookieName = (char *)Cookie->Name; CString sCookieValue = (char *)Cookie->Value; Log("COOKIE [" + sCookieName + "]: " + sCookieValue); } } The result shows all my software-defined cookies but not the built-in "DartSession" cookie that I appear to have no access to. |
| Nick B (Admin) From: Utica, NY USA Posts: 619 Member Since: 05/25/10 Extra Support Options Custom Application Development |
posted April 2, 2014 4:41 PM I'm sorry, I didn't recognize that this wasn't for an arbitrary cookie. There is no programmatic control over its content, but it may be disabled by setting WebServer.PlaceCookies to false. ------ |
| mjxnjx From: sunnyvale, CA USA Posts: 26 Member Since: 06/15/05 |
posted April 2, 2014 6:52 PM Ok, that eliminates the cookie and the problem, thanks! Is it safe to say the only loss by eliminating the cookie is that each and every request is now it's own unique session (since it doesn't keep the session info in a cookie now)? It in future it would be good to have an option to just set the parameters for the hard-coded cookies (secure,httpOnly,path,etc). |
| Nick B (Admin) From: Utica, NY USA Posts: 619 Member Since: 05/25/10 Extra Support Options Custom Application Development |
posted April 3, 2014 9:29 AM Yes. Please see the Session object help documentation for additional information. I've entered your request as TTWeb5733. For information or updates on its status, or for priority support options, please contact sales@dart.com. ------ |
| Reply | PowerTCP WebServer for ActiveX Topics | Forums |
This site is powered by
PowerTCP WebServer for ActiveX
|