Making Cookies HTTPOnly

[ChakshuGautam]

Software and hardware versions

macOS Docker Compose, Aggregate v2.0.5 [Self built WAR] behind NGINX reverse proxy

Problem description

Trying to make cookies secure by

proxy_cookie_path / "/; HTTPOnly; Secure";
But I see that HTTPOnly cannot be enabled due to doc.cookie API being used internally to cache.

Found the context.xml file which explicitly does not allow this. Is there a specific reason?

<Context useHttpOnly="false">
  <JarScanner>
    <JarScanFilter pluggabilitySkip="*" tldSkip="*" />
  </JarScanner>
</Context>

[lognaturel]

Please note that the recommended ODK server is now ODK Central and the core ODK team no longer maintains Aggregate.

Have you tried changing that setting in

aggregate/src/main/webapp/META-INF/context.xml

Line 1 in bad4527

<Context useHttpOnly="false">

? I don’t know what its history is.

[ChakshuGautam]

Yes. The generated cache.js just stops working altogether. Not sure why. It has references to doc.cookie API which is disabled when we use HttpOnly=true.

[ChakshuGautam]

One of the reasons why we are not able to use ODK Central is webhooks. We have built a pipeline around webhooks which is still not supported by Central.

[lognaturel]

I would recommend searching the forum for setups similar to yours or posting if you don't find anything useful.

We have built a pipeline around webhooks

It would be helpful to know more about your workflow. We've discussed some possibilities in this area but will need to have more user input before we build anything.