Using HTTPOnly and Secure Cookies on web servers: how to Do it

Ajay Yadav
6 min readNov 23, 2023

--

A lot of people think that session cookies are one of the worst things about HTTP for security and privacy, but current web apps need to use them to keep track of the state. It is unsafe by default and is vulnerable to hacking by someone with permission. If someone steals a cookie, they can use it to pretend to be another user and take over your session. This is possible because cookies store session data that can give full access to an account.

Because of this, it's very important to ensure that cookies are safer by setting the right options. You can do this by paying attention to these two things:

# HttpOnly Flag

Imagine you have a special secret (like a cookie) that you want to share with a friend (like your web browser). However, you want to ensure that someone with bad intentions (like a malicious script running on a website) cannot easily steal this secret.

So, you decide to give your friend (the browser) the secret in a special way:

  1. Normal Cookie Sharing:
  • You give the secret to your friend (the browser) and anyone passing by (including malicious scripts).
  • Anyone can come and take a look at the secret whenever they want.
  1. HttpOnly Cookie Sharing:
  • You give the secret to your friend (browser), but tell your friend to keep it a secret and not to share it with anyone else (like scripts).
  • Your friend (browser) is trustworthy and listens to your instructions, so only it can access and use the secret.

In technical terms:

  • Both the browser and any scripts running on the web page can access standard cookies.
  • HttpOnlyThe browser can only access cookiesThey are off-limits to scripts, making them more secure against certain attacks.

So, using theHttpOnly flag is like telling your friend (the browser), "Hey, keep this secret safe and don't let anyone else (especially those mischievous scripts) know about it!"

# Secure Flag

Imagine you're sending a letter with sensitive information (like a cookie) through the mail (the internet). You want to ensure that only the intended recipient (the website) can read it, and nobody else can sneak a peek during transit.

  1. Normal Letter (Cookie) Sending:
  • You put the letter in the mailbox, hoping it reaches its destination safely.
  • However, anyone along the way (like a nosy neighbor or a mischievous mail thief) could potentially open and read the letter.
  1. Secure Letter (Cookie):
  • You decide to use a special lock on your mailbox that only the intended recipient (a secure website) can open.
  • Now, even if someone tries to intercept your letter, they won't be able to read it because it's securely locked.

In technical terms:

  • Normal cookies are like letters without locks, potentially readable by anyone between you and the destination.
  • Cookies with the Secure flag are like letters in a securely locked mailbox, ensuring they can only be sent over secure, encrypted connections (typically, HTTPS).

So, using theSecure flag is like saying, "Let's make sure our sensitive information travels in a locked box, so only the trusted destination can open and read it, keeping it safe from prying eyes during the journey."

Let's simplify the implementation of HttpOnly and Secure flags for cookies in Apache:

HttpOnly Flag:

  1. Open your Apache configuration file.
  • Locate the configuration file for your Apache server. This is often named httpd.conf or apache2.conf.
  • Open the file in a text editor.

2. Check for the mod_headers module:

  • Ensure that themod_headers module is enabled. You can do this by checking if the line LoadModule headers_module modules/mod_headers.so is uncommented. If not, uncomment it.

3. Add the HttpOnly directive:

  • Inside the configuration file, add the following lines:
<IfModule mod_headers.c>
Header always edit Set-Cookie (.*) "$1; HttpOnly."
</IfModule>
  • Save the file.

4. Restart Apache:

  • Restart your Apache server to apply the changes.

Secure Flag:

  1. Ensure HTTPS is set up:
  • Make sure your website is configured to use HTTPS. This involves having an SSL/TLS certificate installed.

2. Open your Apache configuration file:

  • Open the Apache configuration file (httpd.conf or apache2.conf) in a text editor.

3. Add the Secure directive:

  • Add the following lines to enforce the Secure flag for cookies:
<IfModule mod_headers.c>
Header always edit Set-Cookie (.*) "$1; Secure"
</IfModule>
  • Save the file.

4. Restart Apache:

  • Restart your Apache server to apply the changes.

Combined Implementation (HttpOnly and Secure):

If you want to implement both HttpOnly and Secure Flags together,

  1. Open your Apache configuration file.
  • Open the Apache configuration file (httpd.conf or apache2.conf) in a text editor.

2. Add the combined directives:

  • Add the following lines to enforce both HttpOnly and Secure flags:
<IfModule mod_headers.c>
Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure."
</IfModule>
  • Save the file.

3. Restart Apache:

  • Restart your Apache server to apply the changes.

These steps are like telling Apache, "For all cookies, make sure they are marked as HttpOnly to prevent script access andSecure to ensure they are sent only over HTTPS."

Let's simplify the implementation of HttpOnly and Secure flags for cookies in Tomcat:

HttpOnly Flag:

To enable theHttpOnly flag for cookies in Tomcat, you can set the useHttpOnly attribute in the <Context> Element of your web application's context configuration. Follow these steps:

  1. Open thecontext.xml file in theMETA-INF directory of your web application (or create it if it doesn't exist).
  2. Add theuseHttpOnly attribute to the <Context> Element:
<Context useHttpOnly="true">
<!-- Other configurations -->
</Context>

3. Save the file.

4. Restart your Tomcat server to apply the changes.

Secure Flag:

Enforcing theSecure flag for cookies involves ensuring that your web application is served over HTTPS. Once you have set up HTTPS, the Secure Flag will be automatically applied to cookies. Here are the general steps:

  1. Configure your Tomcat server to use HTTPS. This involves obtaining an SSL/TLS certificate and updating your Tomcat connector configuration.
  2. Once your Tomcat server is set up for HTTPS, any cookies set by your application will automatically have the Secure flag.
  3. Restart your Tomcat server to apply the changes.

Combined Implementation (HttpOnly and Secure):

For combined implementation, you'll enforce both HttpOnly and Secure Flags. Follow the steps below:

  1. Open thecontext.xml file in theMETA-INF directory of your web application.
  2. Add theuseHttpOnly attribute to the <Context> Element:
<Context useHttpOnly="true">
<!-- Other configurations -->
</Context>

3. Ensure that your Tomcat server is configured for HTTPS to automatically apply the Secure flag to cookies.

4. Save the file.

5. Restart your Tomcat server to apply the changes.

Remember to test thoroughly after making these changes to ensure that cookies are being set with the desired flags.

Let's simplify the implementation of HttpOnly and Secure flags for cookies in IIS:

HttpOnly Flag:

  1. Open IIS Manager:
  • Open the IIS Manager on your server.

2. Select your site:

  • In the Connections pane on the left, navigate to your specific website.

3. Double-click "HTTP Response Headers":

  • In the center pane, find and double-click on "HTTP Response Headers."

4. Add a Custom Header:

  • In the Actions pane on the right, click on "Add..."," then choose "Add Custom Header."
  • Set the name to Set-Cookie.
  • Set the value to HttpOnly.
  • Click OK.

5. Restart IIS.

  • After making these changes, restart IIS to apply the new configuration.

Secure Flag:

To enforce theSecure flag for cookies, you need to ensure that your website is served over HTTPS.

  1. Obtain an SSL certificate:
  • Acquire and install an SSL certificate for your domain. This certificate is necessary for enabling HTTPS.

2. Configure your site for HTTPS:

  • In the IIS Manager, select your site.
  • In the center pane, double-click on "SSL Settings."
  • Check the box for "Require SSL."
  • Click Apply in the Actions pane on the right.

3. Restart IIS.

  • Restart IIS to apply the changes.

URL rewrite in IIS to enforce the Secure flag for cookies. By configuring a rewrite rule in theweb.config file, you can redirect HTTP requests to HTTPS and ensure that cookies are sent only over secure connections. Here's an example of how you can do this:

  1. Open your web.config file:
  • Open theweb.config file of your web application in a text editor. If it doesn't exist, you can create one.

2. Add the following configuration for enforcing HTTPS:

  • Add the following code to the <system.webServer> section:
<system.webServer>
<rewrite>
<rules>
<rule name="Enforce HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>

Combined Implementation (HttpOnly and Secure):

For both HttpOnly and Secure flags:

  1. Follow the steps above to set the HttpOnly flag.
  2. Follow the steps to enable HTTPS and the Secure flag.
  3. Restart IIS after making these changes.

Additional Note:

Testing: After applying these configurations, thoroughly test your website to ensure that cookies are now being set with the HttpOnly and Secure flags.

SSL/TLS Certificate: Ensure that your SSL/TLS certificate is correctly installed and valid for your domain. This is crucial for the proper functioning of the Secure flag.

Thank you for taking the time to read this.

--

--