Set the 'HttpOnly' attribute on solara-session-id cookie

[lopezvoliver]

As part of a security vulnerability test on a solara-based project, the following Medium risk was identified:

CWE 402 Transmission of Private Resources into a New Sphere ('Resource Leak')

Flaw Category: Deployment Configuration
Effort to Fix: 2 - Implementation error.
Fix is approx. 6-50 lines of code.
1 day to fix.

Description: One or more cookies does not have the 'HttpOnly' attribute set. Using this attribute helps to prevent client-side Javascript from accessing the cookie, thereby mitigating one of the most common XSS exploit scenarios.

Remediation: Unless the application requires that cookies be accessible to Javascript code, set the 'HttpOnly' attribute when generating cookies.

Parameter: solara-session-id

As a first time developer of a small application based on Solara, where can I look to fix this issue? Is there a configuration option or a command-line option for solara run that could fix this?

Or is it something can't be changed (i.e. "the application requires that the cookie accessible to Javascript code")? If so, how can I justify it

[maartenbreddels]

Hi Olivier,

thank you for bringing up this point. A while ago i noticed this myself as well, and was wondering it we should change this, and what the risks are. I'm happy for this to be changed.
To be backward compatible, we can put this under a flag, (see https://github.com/widgetti/solara/pull/792/files as an example), and make this the default in the next major release.
Btw, can you give me a concrete example where this can make a difference? It would help me understand the need for this better.

Regards,

Maarten

[lopezvoliver]

Hi Maarten, I don't have a concrete example at the moment. The information I posted is based on an automated security test/report.

I guess the important part is whether the application requires the cookie, in this case solara-session-id to be accessible using javascript? I can also guess this means from the client-side.

The vulnerability is that javascript on the client-side can be used to reveal the information in the cookie (which in this case I guess it's just the solara-session-id).

[maartenbreddels]

Since a lot is happening in the frontend nowadays calling difference services, I think it's more common to store session-ids or token on the frontend (cookie or localstorage).
I would be totally ok with accepting an PR that makes this configurable. We could decide later on if we want to make http_only a default or not.
Does that sound ok to you?