Missing Secure Flag & HttpOnly Flag From SSL Cookie - OWA

Hello, I'm a bit stuck on this issue for a few days and hoping to get some help on this...
We are running Exchange 2010 /w SP1 Rollup 6. Server is running great and OWA is on 443. We have two servers for Exchange. One if running the Transport and Mailbox, and the other is CAS. We use IBM for firewall / IDS and we run scheduled penatration tests.
We came back with two vulnerabilities:
1) Missing HttpOnly Flag From Cookie
2) Missing Secure Flag From SSL Cookie
Their solution is to:
Add the HttpOnly to all cookies and Add the Secure flag to cookies sent over SSL
I tried adding this line and playing with the boolean with no luck:
<httpCookies httpOnlyCookies="false" requireSSL="true" domain="" />
I set this in the web.config under Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa
If I turn httpOnlyCookies="true" it will break OWA
Any help would be appreicated ! Thanks :)
Will

Hi,
We do not set the cookies to HttpOnly because we require access to certain of these cookies from scripts. 
So we cannot change this, but we take care to use best practices and safe guards within our code to protect against cross site scripting attacks. 
So it is by design.
Xiu Zhang
TechNet Community Support

Similar Messages

  • Setting Secure and HttpOnly flags in JSESSIONID cookie

    I have a web app hosted on WebLogic (8.1 I'm afraid!), and want to secure the JSESSIONID cookie by setting the Secure and HttpOnly flags on it. The intention is to prevent cookie theft.
    As regards the Secure flag, I've tried using the myCookie.setSecure(true) method. This works fine when I debug and step through the code , but by the time the cookie gets back to the client, it has been reset to false again (I'm not clear what by though...).
    There isn't a Cookie method to allow you to set HttpOnly.
    I've thought of using a filter to intercept the response and set the flags explicitly, but this seems like a lot of work for something that seems very simple. I can't find anything in the WebLogic documentation that allows me to configure the settings either.
    Does anyone have any bright ideas about how I can do this?
    Thanks
    Geoff

    I don't think there is HTTPOnly support for WebLogic 8.1 or other versions.
    May be you want to send a note to WebLogic support to find out of they are planning this feature in future ?
    Jayesh
    Yagna Sys

  • Session Cookies Being Overwritten Browsing From SSL to Non SSL

    I have created a bug report for this issue as well.
    Please note I am using J2EE session variables so keep that in mind.
    I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.
    For example:
    Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".
    Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".
    Here's the problem:
    Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.
    Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.
    Steps to Reproduce:
    1. Clear your cookies.
    2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
    3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.
    This behavior changed in ColdFusion 10. ColdFusion 9 did not overwrite the session cookie.
    Has anyone else experience this?

    Deleting and re-adding my account seems to have fixed it.  I think when I initially added my Google Talk account, it was by using the "Add Jabber Account" under 10.6 or something.  Now, when I re-added my account, I notice both "Google Talk" and "Jabber" are options, so my thought here is that Jabber and Google Talk options are no longer quite the same thing.

  • Why my Flagged photos vanished from photo library after I clicked to number next to it??

    Why my Flagged photos vanished from photo library?

    There are 9 different versions of iPhoto and they run on 9 different versions of the Operating System. The tricks and tips for dealing with issues vary depending on the version of iPhoto and the version of the OS. So to get help you need to give as much information as you can. Include things like:
    - What version of iPhoto.
    - What version of the Operating System.
    - Details. As full a description of the problem as you can. For example, if you have a problem with exporting, then explain by describing how you are trying to export, and so on.
    - History: Is this going on long? Has anything been installed or deleted? - Are there error messages?
    - What steps have you tried already to solve the issue.
    - Anything unusual about your set up? Or how you use iPhoto?
    Anything else you can think of that might help someone understand the problem you have.

  • Performance Gain for IRIX servers if Personal flag is removed from magnus.conf file.

    Performance Gain for IRIX servers if Personal flag is removed from magnus.conf file.
    <p>
    As shipped by SGI, some of the server products have a flag set in the
    magnus.conf file setting a small footprint for the servers, generally
    less than 1 megabyte of memory. This flag is the Personal flag, and
    looks something like:
    <P>
    MaxProcs 1
    MinThreads 1
    MaxThreads 8
    Personal on
    <P>
    For one's own personal use, this is fine. But if CGIs are called, or
    if the site sees more traffic, then the flag may need to be removed,
    to look like:
    <P>
    MaxProcs 1
    MinThreads 1
    MaxThreads 8
    <P>
    A significant performance gain, (and a corresponding increase in
    memory used), would be seen by increasing the MaxThreads, as well.
    <P>
    For more complete tuning recommendations on SGI/IRIX, please see SGI's
    Tuning IRIX 6.2 for a Web Server page

    That's a comment in the file. It has no effect at all.

  • "EQG-31210:Missing security attribute value from document" for crawl CDB

    I am using Secure Enterprise Search to crawl Content Database. But the crawler throws the following exception for all the document the crawler crawled.
    13:18:24:424 INFO     filter_1          submitting doc http://dvod1.cn.oracle.com:7778/content/dav/cn/mtblog/t/te/TEST1/2007/06/only_a_test.html with status: 200
    13:18:24:425 INFO     filter_1          Processing http://dvod1.cn.oracle.com:7778/content/dav/cn/mtblog/t/te/TEST1/2007/06/only_a_test.html
    13:18:24:425 ERROR     filter_1     EQG-31210: Missing security attribute value from document: http://dvod1.cn.oracle.com:7778/content/dav/cn/mtblog/t/te/TEST1/2007/06/only_a_test.html oracle.search.crawler.WebCrawlerException     oracle.search.crawler.URLAccess:processUrlEntry:2759     oracle.search.crawler.CrawlingThread:submitForProcessing:7183     oracle.search.plugin.ocs.cservices.CSBrowse:submit:1727     oracle.search.plugin.ocs.cservices.CSBrowse:processDocument:1334     oracle.search.plugin.ocs.cservices.CSBrowse:processNextItem:1083     oracle.search.plugin.ocs.cservices.CSBrowse:browse:1170     oracle.search.plugin.ocs.cservices.OCSCSPlugin:crawl:154     oracle.search.crawler.CrawlingThread:run:1443

    Hi Juwan,
    Which SES are you using ?
    we had seen such exception in SES 10.1.8 if we try to submit a public document .

  • How to find out portal user from sso cookie ?

    Hi,
    I want to find out the portal user id from Portal30_sso cookie. It is required for security in my java servlet.
    Thanks
    Vikas

    First of all, you can't get anything from the portal30_sso cookie or the portal30 cookie or the SSO_ID cookie. These are cookies established for (1) The login server session; (2) The Portal session; (3) The login server single sign-on cookie - visible only to the login server.
    When you want to know who the current user is, you need to establish the context. If your servlet is standalone and not a partner application to the login server and it's not a portlet, etc., then what context does it have? What concept of users does it have? If you are really asking what Portal is currently logged on, that is still a loaded question. The user's browser could be accessing several portal's at the same time, each with a different identity. What I am getting at is that your servlet needs to somehow be associated with a particular portal before it can even think of asking this question.
    The ways to associate your servlet with a portal would be
    [list=1]
    [*]Make it a partner application
    [*]Make it a portlet
    [*]Make it an external application
    [list]
    Hope that helps.

  • There is a problem with the server's security certificate. The security certificate is not from a trusted certifying authority. SAP Business One is unable to connect to the server

    Hello,
    I have an issue with connecting client SB1H on Windows, the scenario is as follows:
    1.- Server:
         Suse Linux Enterprise Server 11.3 kernel version: 3.0.76-0.11 IBM
         NDB and Server are review 69 SP06
    2.- Client:
         Windows 8 Pro Virtual Machine on Microsoft Hyper-V
         SB1H PL 11 version 32bits    
         SAP HANA Studio version 1.0.60
    When I run SB1H the following message appears:
    There is a problem with the server's security certificate. The security certificate is not from a trusted certifying authority. SAP Business One is unable to connect to the server.
    Any idea what could be the solution?

    Hi,
    Please check SAP notes:
       1993392 - Server components setup wizard: New default values for certificates and single sign-on option
    1929288 - Do not configure SSL for XApp during installation or upgrade if XApp is installed on a different machine than the SAP HANA server
    Thanks & Regards,
    Nagarajan

  • Missing version field in response from server when accessing resource

    HY
    I have a problem to use the version option of the webstart. All files are included into a war file (created with jar cvf xx.war *). This file is in the webapps folder of the Tomcat 5. The jar files from the dev. kit (jnlp-servlet.jar, jaxp.jar, parser.jar are in the WEB-INF/lib folder).
    Every time I get the same message:
    Category: Download Error
    Missing version field in response from server when accessing resource: (http://localhost:8080/version/ademo.jar, 1.1)
    Do I need a aditional file or must Iwrite a servlet???
    Whats wrong
    my JNLP file
    <?xml version="1.0" encoding="utf-8"?>
    <!-- JNLP File fuer HJP3 WebStart Demo-Applikation -->
    <jnlp codebase="http://localhost:8080/version/" href="wstest.jnlp">
    <information>
    <title>HJP3 WebStart Demo Application</title>
    <vendor>Guido Krueger</vendor>
    <homepage href="http://www.javabuch.de"/>
    <description>HJP3 WebStart Demo Application</description>
    <icon href="wstest.gif"/>
    <offline-allowed/>
    </information>
    <information locale="de">
    <description>HJP3 WebStart Demo-Applikation</description>
    <offline-allowed/>
    </information>
    <security>
    <!-- <all-permissions/> //-->
    </security>
    <resources>
    <j2se version="1.4+"/>
    <jar href="ademo.jar" version="1.1"/>
    </resources>
    <application-desc main-class="Listing3813"/>
    </jnlp>
    my version.xml file
    <jnlp-versions>
    <resource>
    <pattern>
    <name>ademo.jar</name>
    <version-id>1.1</version-id>
    </pattern>
    <file>application.jar</file>
    </resource>
    </jnlp-versions>
    my web.xml file
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
    <web-app>
         <servlet>
              <servlet-name>JnlpDownloadServlet</servlet-name>
              <servlet-class>com.sun.javaws.servlet.JnlpDownloadServlet</servlet-class>
         </servlet>
         <servlet-mapping>
              <servlet-name>JnlpDownloadServlet</servlet-name>
              <url-pattern>*.jnlp</url-pattern>
         </servlet-mapping>
    </web-app>

    The log file (jnlpdownloadservlet.log) would show the calls for the jar files if the servlet is called for the jar files (did you correct the url mapping ?). Here are a few lines from a log file
    JnlpDownloadServlet(4): Initializing
    JnlpDownloadServlet(3): Request: /maportal/wfe/wfeguiv.jnlp
    JnlpDownloadServlet(3): User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8
    JnlpDownloadServlet(4): DownloadRequest[path=/wfe/wfeguiv.jnlp isPlatformRequest=false]
    JnlpDownloadServlet(4): Basic Protocol lookup
    JnlpDownloadServlet(4): JnlpResource: JnlpResource[WAR Path: /wfe/wfeguiv.jnlp lastModified=Tue Mar 23 17:06:56 CET 2004]]
    JnlpDownloadServlet(3): Resource returned: /wfe/wfeguiv.jnlp
    JnlpDownloadServlet(4): lastModified: 1080058016000 Tue Mar 23 17:06:56 CET 2004
    JnlpDownloadServlet(3): Request: /maportal/wfe/wfegui.gif
    JnlpDownloadServlet(3): User-Agent: JNLP/1.0.1 javaws/1.4.2_03 (b02) J2SE/1.4.2_03
    JnlpDownloadServlet(4): DownloadRequest[path=/wfe/wfegui.gif isPlatformRequest=false]
    JnlpDownloadServlet(3): Request: /maportal/wfe/wfegui.jar
    JnlpDownloadServlet(3): User-Agent: JNLP/1.0.1 javaws/1.4.2_03 (b02) J2SE/1.4.2_03
    JnlpDownloadServlet(4): DownloadRequest[path=/wfe/wfegui.jar isPlatformRequest=false]
    JnlpDownloadServlet(4): Basic Protocol lookup
    JnlpDownloadServlet(4): JnlpResource: JnlpResource[WAR Path: /wfe/wfegui.jar lastModified=Tue Mar 23 17:06:30 CET 2004]]
    JnlpDownloadServlet(3): Resource returned: /wfe/wfegui.jarYou should see all the resources (including jar files) being requested, and whether a specific version was requested or not (in above sample, not).
    I put my problems down to my application server (Orion) as other people seem to have this working. The deployment in Orion keeps the original timestamps of the jars, so I explicitly set the timestamps in my build so that the unchanged jars do not have to be downloaded all the time. This is not really a good solution, so maybe someone else can give further advice.
    Brendan

  • OWSM SAML Verify step problem: Missing Security Header in SOAP message

    I'm having a problem with SAML steps. From gateway log:
    2008-09-17 13:21:32,987 INFO [HTTPThreadGroup-58] saml.InsertSAMLSVStep - User attributes map set to generate the attribute assertions: null
    2008-09-17 13:21:33,034 INFO [HTTPThreadGroup-60] saml.SAMLProcessor - Assertion Major Version :1 , Minor Version :1
    2008-09-17 13:21:33,034 WARNING [HTTPThreadGroup-60] saml.SAMLProcessor - SAML Assertion verification error: An invalid token was provided
    2008-09-17 13:21:33,034 WARNING [HTTPThreadGroup-60] saml.VerifySAMLStep - SAML Token verification failed:
    2008-09-17 13:21:33,096 SEVERE [HTTPThreadGroup-58] wssecurity.OSDTWSSecurity - Missing Security Header in SOAP message
    2008-09-17 13:21:33,096 WARNING [HTTPThreadGroup-58] wssecurity.SecurityBaseStep - Failure while applying XML Security
    FAULT CODE: InvalidSecurity FAULT MESSAGE: Missing WS Security header in the SOAP message
    at com.cfluent.policysteps.security.wssecurity.OSDTWSSecurity.decryptVerify(OSDTWSSecurity.java:369)
    at com.cfluent.policysteps.security.wssecurity.DecryptStep.performXmlSecurity(DecryptStep.java:131)
    at com.cfluent.policysteps.security.wssecurity.SecurityBaseStep.execute(SecurityBaseStep.java:238)
    at com.cfluent.pipelineengine.container.DefaultPipeline.executeStep(DefaultPipeline.java:124)
    but the wsse:Security header with SAML assertion IS confirmed in the incoming message log. Anybody seen this issue?

    Below is the log of the incoming message just prior to the failing SAML Verify step:
    <?xml version="1.0" encoding="UTF-8" ?>
    - <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://exception.common.periop.gehc.com" xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns2="http://www.patient.patientmanager.periop.gehc.com/service/" xmlns:ns3="http://entity.common.periop.gehc.com" xmlns:ns4="http://entity.patient.patientmanager.periop.gehc.com" xmlns:ns5="http://entity.allergy.patientmanager.periop.gehc.com" xmlns:ns6="http://pdo.domain.customizer.periop.gehc.com" xmlns:ns7="http://entity.cases.scheduler.periop.gehc.com" xmlns:ns8="http://entity.insurance.patientmanager.periop.gehc.com">
    - <env:Header>
    - <ns1:Security>
    - <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="158RBY2QvCFPiTqdXYWh9A22" IssueInstant="2008-09-17T19:58:43Z" Issuer="GE" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:Conditions NotBefore="2008-09-17T19:58:13Z" NotOnOrAfter="2008-09-17T19:59:43Z" />
    - <saml:AuthenticationStatement AuthenticationInstant="2008-09-17T19:58:43Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
    - <saml:Subject>
    <saml:NameIdentifier NameQualifier="www.ge.com" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">gowri</saml:NameIdentifier>
    - <saml:SubjectConfirmation>
    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
    </saml:SubjectConfirmation>
    </saml:Subject>
    </saml:AuthenticationStatement>
    </saml:Assertion>
    </ns1:Security>
    </env:Header>
    - <env:Body>
    - <ns2:getPatient>
    <ns2:patientId>137115</ns2:patientId>
    </ns2:getPatient>
    </env:Body>
    </env:Envelope>

  • SP324081: Check that your Internet Explorer security settings will allow JavaScript and cookies. If enabled, please contact support.

    Hi,
    I have VS2013 update 4 and IE11 installed. When I try to sign in through VS I get the following error.
    SP324081: Check that your Internet Explorer security settings will allow JavaScript and cookies. If enabled, please contact support.
    I have checked and JAVASCRIPT and cookies are enabled.
    Any help is appreciated.

    Hi Sath12,
    If possible, I suggest you reset IE settings.
    Please lower the security level. Then I added the site like https://*.visualstudio.com/ to the trusted zones. Test it again.
    I have met this issue before which was related to the IE settings or the account issue.
    https://social.msdn.microsoft.com/Forums/sqlserver/en-US/290948f6-b4ca-41e3-9888-91fbbc71cdeb/cannot-register-sign-in-from-vs-express-2013?forum=visualstudiogeneral
    A connect report still shared some information about it:
    https://connect.microsoft.com/VisualStudio/feedback/details/811860/vs-express-2013-for-web-browser-is-security-restricted-or-javascript-is-disabled
    Best Regards,
    Jack
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • Error when trying to retrieve UserName from MySAPSSO2 cookie

    Hi,
    I tried to retrieve the UserName from MySAPSSO2 cookie using the dotnet toolkit, but I keep getting the error "User Not Aunthenticated". I have placed the verify.pse files in a folder called psefiles in the same location as the bin folder of my application.
    I then also tried to directly use Convert.FromBase64String() to read the username from the cookie, but during conversion I get the error "Invalid character in a Base- 64 string"
    Any help is highly appreciated.
    Thanks,
    Kantishree D.

    From the menu bar, select
     ▹ System Preferences ▹ Energy Saver ▹ Power Adapter
    and uncheck the box labeled Put the hard disk(s) to sleep when possible, if it's checked.
    If the drive has more than one interface (USB, FireWire, Thunderbolt, eSATA), try one of the other interfaces.
    Check that the data cable is securely inserted at both ends.
    Try a different cable.
    If you're connecting the drive through a hub, connect it directly to a built-in port on the Mac.
    If you're connecting it directly, try a different port.
    Disconnect all other devices on the bus, or as many as possible.
    Test the drive with another Mac. Test another drive with this Mac.
    If the drive is bus-powered, but has an AC adapter, connect the adapter.
    Start up in Safe Mode and test.
    If the drive doesn't work under any of the above conditions, and if another drive does work with the same Mac, then the drive has failed. You may be able to salvage the mechanism by removing it from the enclosure and installing it in another one, or in a drive dock.

  • Removal of central security service randomware virus from macbook air

    How to remove Central Security Service randomware virus from MacBook Air OS X 10.8.5

    Go step by step and test.
    1. Force Quit .
        Press command + option + esc keys together at the same time. Wait.
        When Force Quit window appears, select the Safari if not already.
        Press Force Quit button at the bottom of the window.   Wait.
        Safari will quit.
        Relaunch Safari holding the shift key down.
    2. Safari > Preferences > Extensions
        Turn those off and try Safari.
    3. Safari > Preferences > Privacy > Cookies and other website data:
        Press “Remove all website data” button.
    4. If adware is installed without your knowledge,
        download AdwareMedic by clicking “Download ” from here
        http://www.adwaremedic.com
       Install , open,  and run it by clicking “Scan for Adware” button   to remove adware.
       Once done scanning and removing the adware, quit the app by clicking AdMedic in the menubar
        and selecting “Quit AdwareMedic”.

  • Im having trouble changing my security questions, they are from years ago so i do not remember them and the reset email is no longer active,and i dont know how i can use the account because i added money to it but it asks for the questions. anybody help??

    im having trouble changing my security questions, they are from years ago so i do not remember them and the reset email is no longer active.., and i dont know how i can use the account because i added money to it but it asks for the questions. anybody help??
    this says it all..

    Welcome to the Apple Community.
    Contact Apple through iTunes Store Support, and explain that you have forgotten your 3 security questions, that you can reset your password, but doing so doesn't reset your security questions.
    Remember, support will receive hundreds, if not thousands of requests per day, some from people trying it on, others with little explanation and others that are written extremely poorly. Take the time to explain your situation properly, be precise and concise, brief but comprehensive.

  • Hard drive is missing. I can boot from the cd but when running the disk utility, no hard drive shows up.

    Hard drive is missing. I can boot from the cd but when running the disk utility, no hard drive shows up.
    This is a problem that suddenly appeared.

    Please post a screenshot of Disk Utility that shows what you mean. Be careful not to include any private information.
    Start a reply to this message. Click the camera icon in the toolbar of the editing window and select the image file to upload it. You can also include text in the reply.

Maybe you are looking for