Missing Secure Flag & HttpOnly Flag From SSL Cookie - OWA
Hello, I'm a bit stuck on this issue for a few days and hoping to get some help on this...
We are running Exchange 2010 /w SP1 Rollup 6. Server is running great and OWA is on 443. We have two servers for Exchange. One if running the Transport and Mailbox, and the other is CAS. We use IBM for firewall / IDS and we run scheduled penatration tests.
We came back with two vulnerabilities:
1) Missing HttpOnly Flag From Cookie
2) Missing Secure Flag From SSL Cookie
Their solution is to:
Add the HttpOnly to all cookies and Add the Secure flag to cookies sent over SSL
I tried adding this line and playing with the boolean with no luck:
<httpCookies httpOnlyCookies="false" requireSSL="true" domain="" />
I set this in the web.config under Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa
If I turn httpOnlyCookies="true" it will break OWA
Any help would be appreicated ! Thanks :)
Will
Hi,
We do not set the cookies to HttpOnly because we require access to certain of these cookies from scripts.
So we cannot change this, but we take care to use best practices and safe guards within our code to protect against cross site scripting attacks.
So it is by design.
Xiu Zhang
TechNet Community Support
Similar Messages
-
Setting Secure and HttpOnly flags in JSESSIONID cookie
I have a web app hosted on WebLogic (8.1 I'm afraid!), and want to secure the JSESSIONID cookie by setting the Secure and HttpOnly flags on it. The intention is to prevent cookie theft.
As regards the Secure flag, I've tried using the myCookie.setSecure(true) method. This works fine when I debug and step through the code , but by the time the cookie gets back to the client, it has been reset to false again (I'm not clear what by though...).
There isn't a Cookie method to allow you to set HttpOnly.
I've thought of using a filter to intercept the response and set the flags explicitly, but this seems like a lot of work for something that seems very simple. I can't find anything in the WebLogic documentation that allows me to configure the settings either.
Does anyone have any bright ideas about how I can do this?
Thanks
GeoffI don't think there is HTTPOnly support for WebLogic 8.1 or other versions.
May be you want to send a note to WebLogic support to find out of they are planning this feature in future ?
Jayesh
Yagna Sys -
Session Cookies Being Overwritten Browsing From SSL to Non SSL
I have created a bug report for this issue as well.
Please note I am using J2EE session variables so keep that in mind.
I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.
For example:
Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".
Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".
Here's the problem:
Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.
Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.
Steps to Reproduce:
1. Clear your cookies.
2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.
This behavior changed in ColdFusion 10. ColdFusion 9 did not overwrite the session cookie.
Has anyone else experience this?Deleting and re-adding my account seems to have fixed it. I think when I initially added my Google Talk account, it was by using the "Add Jabber Account" under 10.6 or something. Now, when I re-added my account, I notice both "Google Talk" and "Jabber" are options, so my thought here is that Jabber and Google Talk options are no longer quite the same thing.
-
Why my Flagged photos vanished from photo library after I clicked to number next to it??
Why my Flagged photos vanished from photo library?
There are 9 different versions of iPhoto and they run on 9 different versions of the Operating System. The tricks and tips for dealing with issues vary depending on the version of iPhoto and the version of the OS. So to get help you need to give as much information as you can. Include things like:
- What version of iPhoto.
- What version of the Operating System.
- Details. As full a description of the problem as you can. For example, if you have a problem with exporting, then explain by describing how you are trying to export, and so on.
- History: Is this going on long? Has anything been installed or deleted? - Are there error messages?
- What steps have you tried already to solve the issue.
- Anything unusual about your set up? Or how you use iPhoto?
Anything else you can think of that might help someone understand the problem you have. -
Performance Gain for IRIX servers if Personal flag is removed from magnus.conf file.
Performance Gain for IRIX servers if Personal flag is removed from magnus.conf file.
<p>
As shipped by SGI, some of the server products have a flag set in the
magnus.conf file setting a small footprint for the servers, generally
less than 1 megabyte of memory. This flag is the Personal flag, and
looks something like:
<P>
MaxProcs 1
MinThreads 1
MaxThreads 8
Personal on
<P>
For one's own personal use, this is fine. But if CGIs are called, or
if the site sees more traffic, then the flag may need to be removed,
to look like:
<P>
MaxProcs 1
MinThreads 1
MaxThreads 8
<P>
A significant performance gain, (and a corresponding increase in
memory used), would be seen by increasing the MaxThreads, as well.
<P>
For more complete tuning recommendations on SGI/IRIX, please see SGI's
Tuning IRIX 6.2 for a Web Server pageThat's a comment in the file. It has no effect at all.
-
"EQG-31210:Missing security attribute value from document" for crawl CDB
I am using Secure Enterprise Search to crawl Content Database. But the crawler throws the following exception for all the document the crawler crawled.
13:18:24:424 INFO filter_1 submitting doc http://dvod1.cn.oracle.com:7778/content/dav/cn/mtblog/t/te/TEST1/2007/06/only_a_test.html with status: 200
13:18:24:425 INFO filter_1 Processing http://dvod1.cn.oracle.com:7778/content/dav/cn/mtblog/t/te/TEST1/2007/06/only_a_test.html
13:18:24:425 ERROR filter_1 EQG-31210: Missing security attribute value from document: http://dvod1.cn.oracle.com:7778/content/dav/cn/mtblog/t/te/TEST1/2007/06/only_a_test.html oracle.search.crawler.WebCrawlerException oracle.search.crawler.URLAccess:processUrlEntry:2759 oracle.search.crawler.CrawlingThread:submitForProcessing:7183 oracle.search.plugin.ocs.cservices.CSBrowse:submit:1727 oracle.search.plugin.ocs.cservices.CSBrowse:processDocument:1334 oracle.search.plugin.ocs.cservices.CSBrowse:processNextItem:1083 oracle.search.plugin.ocs.cservices.CSBrowse:browse:1170 oracle.search.plugin.ocs.cservices.OCSCSPlugin:crawl:154 oracle.search.crawler.CrawlingThread:run:1443Hi Juwan,
Which SES are you using ?
we had seen such exception in SES 10.1.8 if we try to submit a public document . -
How to find out portal user from sso cookie ?
Hi,
I want to find out the portal user id from Portal30_sso cookie. It is required for security in my java servlet.
Thanks
VikasFirst of all, you can't get anything from the portal30_sso cookie or the portal30 cookie or the SSO_ID cookie. These are cookies established for (1) The login server session; (2) The Portal session; (3) The login server single sign-on cookie - visible only to the login server.
When you want to know who the current user is, you need to establish the context. If your servlet is standalone and not a partner application to the login server and it's not a portlet, etc., then what context does it have? What concept of users does it have? If you are really asking what Portal is currently logged on, that is still a loaded question. The user's browser could be accessing several portal's at the same time, each with a different identity. What I am getting at is that your servlet needs to somehow be associated with a particular portal before it can even think of asking this question.
The ways to associate your servlet with a portal would be
[list=1]
[*]Make it a partner application
[*]Make it a portlet
[*]Make it an external application
[list]
Hope that helps. -
Hello,
I have an issue with connecting client SB1H on Windows, the scenario is as follows:
1.- Server:
Suse Linux Enterprise Server 11.3 kernel version: 3.0.76-0.11 IBM
NDB and Server are review 69 SP06
2.- Client:
Windows 8 Pro Virtual Machine on Microsoft Hyper-V
SB1H PL 11 version 32bits
SAP HANA Studio version 1.0.60
When I run SB1H the following message appears:
There is a problem with the server's security certificate. The security certificate is not from a trusted certifying authority. SAP Business One is unable to connect to the server.
Any idea what could be the solution?Hi,
Please check SAP notes:
1993392 - Server components setup wizard: New default values for certificates and single sign-on option
1929288 - Do not configure SSL for XApp during installation or upgrade if XApp is installed on a different machine than the SAP HANA server
Thanks & Regards,
Nagarajan -
Missing version field in response from server when accessing resource
HY
I have a problem to use the version option of the webstart. All files are included into a war file (created with jar cvf xx.war *). This file is in the webapps folder of the Tomcat 5. The jar files from the dev. kit (jnlp-servlet.jar, jaxp.jar, parser.jar are in the WEB-INF/lib folder).
Every time I get the same message:
Category: Download Error
Missing version field in response from server when accessing resource: (http://localhost:8080/version/ademo.jar, 1.1)
Do I need a aditional file or must Iwrite a servlet???
Whats wrong
my JNLP file
<?xml version="1.0" encoding="utf-8"?>
<!-- JNLP File fuer HJP3 WebStart Demo-Applikation -->
<jnlp codebase="http://localhost:8080/version/" href="wstest.jnlp">
<information>
<title>HJP3 WebStart Demo Application</title>
<vendor>Guido Krueger</vendor>
<homepage href="http://www.javabuch.de"/>
<description>HJP3 WebStart Demo Application</description>
<icon href="wstest.gif"/>
<offline-allowed/>
</information>
<information locale="de">
<description>HJP3 WebStart Demo-Applikation</description>
<offline-allowed/>
</information>
<security>
<!-- <all-permissions/> //-->
</security>
<resources>
<j2se version="1.4+"/>
<jar href="ademo.jar" version="1.1"/>
</resources>
<application-desc main-class="Listing3813"/>
</jnlp>
my version.xml file
<jnlp-versions>
<resource>
<pattern>
<name>ademo.jar</name>
<version-id>1.1</version-id>
</pattern>
<file>application.jar</file>
</resource>
</jnlp-versions>
my web.xml file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>JnlpDownloadServlet</servlet-name>
<servlet-class>com.sun.javaws.servlet.JnlpDownloadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>JnlpDownloadServlet</servlet-name>
<url-pattern>*.jnlp</url-pattern>
</servlet-mapping>
</web-app>The log file (jnlpdownloadservlet.log) would show the calls for the jar files if the servlet is called for the jar files (did you correct the url mapping ?). Here are a few lines from a log file
JnlpDownloadServlet(4): Initializing
JnlpDownloadServlet(3): Request: /maportal/wfe/wfeguiv.jnlp
JnlpDownloadServlet(3): User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8
JnlpDownloadServlet(4): DownloadRequest[path=/wfe/wfeguiv.jnlp isPlatformRequest=false]
JnlpDownloadServlet(4): Basic Protocol lookup
JnlpDownloadServlet(4): JnlpResource: JnlpResource[WAR Path: /wfe/wfeguiv.jnlp lastModified=Tue Mar 23 17:06:56 CET 2004]]
JnlpDownloadServlet(3): Resource returned: /wfe/wfeguiv.jnlp
JnlpDownloadServlet(4): lastModified: 1080058016000 Tue Mar 23 17:06:56 CET 2004
JnlpDownloadServlet(3): Request: /maportal/wfe/wfegui.gif
JnlpDownloadServlet(3): User-Agent: JNLP/1.0.1 javaws/1.4.2_03 (b02) J2SE/1.4.2_03
JnlpDownloadServlet(4): DownloadRequest[path=/wfe/wfegui.gif isPlatformRequest=false]
JnlpDownloadServlet(3): Request: /maportal/wfe/wfegui.jar
JnlpDownloadServlet(3): User-Agent: JNLP/1.0.1 javaws/1.4.2_03 (b02) J2SE/1.4.2_03
JnlpDownloadServlet(4): DownloadRequest[path=/wfe/wfegui.jar isPlatformRequest=false]
JnlpDownloadServlet(4): Basic Protocol lookup
JnlpDownloadServlet(4): JnlpResource: JnlpResource[WAR Path: /wfe/wfegui.jar lastModified=Tue Mar 23 17:06:30 CET 2004]]
JnlpDownloadServlet(3): Resource returned: /wfe/wfegui.jarYou should see all the resources (including jar files) being requested, and whether a specific version was requested or not (in above sample, not).
I put my problems down to my application server (Orion) as other people seem to have this working. The deployment in Orion keeps the original timestamps of the jars, so I explicitly set the timestamps in my build so that the unchanged jars do not have to be downloaded all the time. This is not really a good solution, so maybe someone else can give further advice.
Brendan -
OWSM SAML Verify step problem: Missing Security Header in SOAP message
I'm having a problem with SAML steps. From gateway log:
2008-09-17 13:21:32,987 INFO [HTTPThreadGroup-58] saml.InsertSAMLSVStep - User attributes map set to generate the attribute assertions: null
2008-09-17 13:21:33,034 INFO [HTTPThreadGroup-60] saml.SAMLProcessor - Assertion Major Version :1 , Minor Version :1
2008-09-17 13:21:33,034 WARNING [HTTPThreadGroup-60] saml.SAMLProcessor - SAML Assertion verification error: An invalid token was provided
2008-09-17 13:21:33,034 WARNING [HTTPThreadGroup-60] saml.VerifySAMLStep - SAML Token verification failed:
2008-09-17 13:21:33,096 SEVERE [HTTPThreadGroup-58] wssecurity.OSDTWSSecurity - Missing Security Header in SOAP message
2008-09-17 13:21:33,096 WARNING [HTTPThreadGroup-58] wssecurity.SecurityBaseStep - Failure while applying XML Security
FAULT CODE: InvalidSecurity FAULT MESSAGE: Missing WS Security header in the SOAP message
at com.cfluent.policysteps.security.wssecurity.OSDTWSSecurity.decryptVerify(OSDTWSSecurity.java:369)
at com.cfluent.policysteps.security.wssecurity.DecryptStep.performXmlSecurity(DecryptStep.java:131)
at com.cfluent.policysteps.security.wssecurity.SecurityBaseStep.execute(SecurityBaseStep.java:238)
at com.cfluent.pipelineengine.container.DefaultPipeline.executeStep(DefaultPipeline.java:124)
but the wsse:Security header with SAML assertion IS confirmed in the incoming message log. Anybody seen this issue?Below is the log of the incoming message just prior to the failing SAML Verify step:
<?xml version="1.0" encoding="UTF-8" ?>
- <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://exception.common.periop.gehc.com" xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns2="http://www.patient.patientmanager.periop.gehc.com/service/" xmlns:ns3="http://entity.common.periop.gehc.com" xmlns:ns4="http://entity.patient.patientmanager.periop.gehc.com" xmlns:ns5="http://entity.allergy.patientmanager.periop.gehc.com" xmlns:ns6="http://pdo.domain.customizer.periop.gehc.com" xmlns:ns7="http://entity.cases.scheduler.periop.gehc.com" xmlns:ns8="http://entity.insurance.patientmanager.periop.gehc.com">
- <env:Header>
- <ns1:Security>
- <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="158RBY2QvCFPiTqdXYWh9A22" IssueInstant="2008-09-17T19:58:43Z" Issuer="GE" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2008-09-17T19:58:13Z" NotOnOrAfter="2008-09-17T19:59:43Z" />
- <saml:AuthenticationStatement AuthenticationInstant="2008-09-17T19:58:43Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
- <saml:Subject>
<saml:NameIdentifier NameQualifier="www.ge.com" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">gowri</saml:NameIdentifier>
- <saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>
</ns1:Security>
</env:Header>
- <env:Body>
- <ns2:getPatient>
<ns2:patientId>137115</ns2:patientId>
</ns2:getPatient>
</env:Body>
</env:Envelope> -
Hi,
I have VS2013 update 4 and IE11 installed. When I try to sign in through VS I get the following error.
SP324081: Check that your Internet Explorer security settings will allow JavaScript and cookies. If enabled, please contact support.
I have checked and JAVASCRIPT and cookies are enabled.
Any help is appreciated.Hi Sath12,
If possible, I suggest you reset IE settings.
Please lower the security level. Then I added the site like https://*.visualstudio.com/ to the trusted zones. Test it again.
I have met this issue before which was related to the IE settings or the account issue.
https://social.msdn.microsoft.com/Forums/sqlserver/en-US/290948f6-b4ca-41e3-9888-91fbbc71cdeb/cannot-register-sign-in-from-vs-express-2013?forum=visualstudiogeneral
A connect report still shared some information about it:
https://connect.microsoft.com/VisualStudio/feedback/details/811860/vs-express-2013-for-web-browser-is-security-restricted-or-javascript-is-disabled
Best Regards,
Jack
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Error when trying to retrieve UserName from MySAPSSO2 cookie
Hi,
I tried to retrieve the UserName from MySAPSSO2 cookie using the dotnet toolkit, but I keep getting the error "User Not Aunthenticated". I have placed the verify.pse files in a folder called psefiles in the same location as the bin folder of my application.
I then also tried to directly use Convert.FromBase64String() to read the username from the cookie, but during conversion I get the error "Invalid character in a Base- 64 string"
Any help is highly appreciated.
Thanks,
Kantishree D.From the menu bar, select
▹ System Preferences ▹ Energy Saver ▹ Power Adapter
and uncheck the box labeled Put the hard disk(s) to sleep when possible, if it's checked.
If the drive has more than one interface (USB, FireWire, Thunderbolt, eSATA), try one of the other interfaces.
Check that the data cable is securely inserted at both ends.
Try a different cable.
If you're connecting the drive through a hub, connect it directly to a built-in port on the Mac.
If you're connecting it directly, try a different port.
Disconnect all other devices on the bus, or as many as possible.
Test the drive with another Mac. Test another drive with this Mac.
If the drive is bus-powered, but has an AC adapter, connect the adapter.
Start up in Safe Mode and test.
If the drive doesn't work under any of the above conditions, and if another drive does work with the same Mac, then the drive has failed. You may be able to salvage the mechanism by removing it from the enclosure and installing it in another one, or in a drive dock. -
Removal of central security service randomware virus from macbook air
How to remove Central Security Service randomware virus from MacBook Air OS X 10.8.5
Go step by step and test.
1. Force Quit .
Press command + option + esc keys together at the same time. Wait.
When Force Quit window appears, select the Safari if not already.
Press Force Quit button at the bottom of the window. Wait.
Safari will quit.
Relaunch Safari holding the shift key down.
2. Safari > Preferences > Extensions
Turn those off and try Safari.
3. Safari > Preferences > Privacy > Cookies and other website data:
Press “Remove all website data” button.
4. If adware is installed without your knowledge,
download AdwareMedic by clicking “Download ” from here
http://www.adwaremedic.com
Install , open, and run it by clicking “Scan for Adware” button to remove adware.
Once done scanning and removing the adware, quit the app by clicking AdMedic in the menubar
and selecting “Quit AdwareMedic”. -
im having trouble changing my security questions, they are from years ago so i do not remember them and the reset email is no longer active.., and i dont know how i can use the account because i added money to it but it asks for the questions. anybody help??
this says it all..Welcome to the Apple Community.
Contact Apple through iTunes Store Support, and explain that you have forgotten your 3 security questions, that you can reset your password, but doing so doesn't reset your security questions.
Remember, support will receive hundreds, if not thousands of requests per day, some from people trying it on, others with little explanation and others that are written extremely poorly. Take the time to explain your situation properly, be precise and concise, brief but comprehensive. -
Hard drive is missing. I can boot from the cd but when running the disk utility, no hard drive shows up.
This is a problem that suddenly appeared.Please post a screenshot of Disk Utility that shows what you mean. Be careful not to include any private information.
Start a reply to this message. Click the camera icon in the toolbar of the editing window and select the image file to upload it. You can also include text in the reply.
Maybe you are looking for
-
Mail takes a long time to send messages
After a power outage in my neighborhood and being given new incoming and outgoing mail servers by my ISP -- AT&T and it's Yahoo portal -- Mail is taking a long time to actually send messages after clicking the send button -- a minute or two. Thunderb
-
I've bought Adobe PDF Export but how do I convert a pdf to word?
Hi, I have just bought the Adobe Export PDF package for £19.99 but I can't actually find where to login to the software to convert a PDF to word? Any help appreciated. Thanks Rob
-
Office 2010 SP2 deploy several systems
We are deploying Office 2010 Standard thru Group Policy. SP2 i downloaded later so there are a dozen systems already installed office without the SP2. The meaning is to also install the SP2 Office to the machines which have gotton Office 2010 without
-
Would I have tighter control with TFS as opposed to Visual Studio Online?
We have developers from all over the world and I want to make sure that our code which is our company's intellectual property is as secure as possible. We're currently using Visual Studio Online but a potentially disgruntled developer can log into VS
-
Iphone 4 apps are too large how do I get them back to normal size?
on my iphone 4 my apps changed to a large size. How can I get them back to normal?