In the web.conf file we have following positioned:
tools.sessions.httponly = True
tools.sessions.secure = True
In the server.conf we have:
allowCookieAuth = true
cookieAuthHttpOnly = true
cookieAuthSecure = true
When looking Chrome some cooking have the HttpOnly set others don't:
Name: cval
Domain: splunk-dev.be.intranet
Path: /en-GB/account/
Send for: Secure connections only
Accessible to script: Yes
Name: session_id_8000
Domain: splunk-dev.be.intranet
Path: /
Send for: Secure connections only
Accessible to script: No (HttpOnly)
Name: splunkd_8000
Domain: splunk-dev.be.intranet
Path: /
Send for: Secure connections only
Accessible to script: No (HttpOnly)
Name: splunkweb_csrf_token_8000
Domain: splunk-dev.be.intranet
Path: /
Send for: Secure connections only
Accessible to script: Yes
Name: splunkweb_uid
Domain: splunk-dev.be.intranet
Path: /en-GB/account
Send for: Secure connections only
Accessible to script: Yes
What needs to be done to enfore HttpOnly for all cookies
↧
