HttpOnly attribute unset on cookies?

Hello

We’re having Octopus Deploy installed across our production environment, but are also looking to ensure that cookies in use via Octopus Deploy have the HttpOnly attribute set. We need to ensure session hijacking is a very remote possibility.

Currently the attribute is unset. What steps do we need to take to have it set to HttpOnly?

Thanks

Hi Luke,

Thanks for getting in touch! The only cookie issued by Octopus Server already sets the HttpOnly flag to true. Here is a screenshot from our demo server which shows some cookies set by other things like IIS/ARR and Google analytics, but you can see the OctopusIdentificationToken cookie has the expected flags.

If this is not the case for you, could you let me know which version of Octopus Server you are running, and post a screenshot of the cookies shown in your browser developer tools?

Hope that helps!
Mike

Hi Michael

It’s a little bit odd but it seems the screenshot you sent hasn’t come through properly; can’t view it.

Anyway, hopefully you’ll see mine without any issues.

We’re using version 3.3.3 and the screenshot is below of the unset HttpOnly flag on the Octopus cookie:

[cid:image001.jpg@01D2A2F2.E8747FA0]

Thanks

Luke

Hi Luke,

Thanks for keeping in touch! Just to be sure, I’ve checked the code and we’ve set the HttpOnly flag to true even back in the Octopus 2.x days. I’ve recorded some http traffic and we definitely set the cookie to HttpOnly in the login response. That’s when I realised your screenshot is the IE developer tools. :slight_smile:

That particular request to the /api/dashboard (in your screenshot) is showing the cookies that are sent in the HTTP request from IE to the Octopus Server: the cookies are never sent from the browser to the server with any extra metadata - just the name/value pairs themselves.

To prove what the Octopus Server is doing with the auth cookie you need to look at the network traffic and inspect the HTTP response from the HTTP POST to /api/users/login which sets the cookie and you’ll see the HttpOnly flag is set as expected.

Here is an example from Octopus 2.6.5:

Set-Cookie header for HTTP Response from POST /api/users/login: OctopusIdentificationToken=YP2CkrUPtWjMsv8lIABTYiBwim%2bMXuJ1ekoxasH5Rv6xPGmtoSH0JW9973xLE7Ex; path=/; Secure; HttpOnly

Cookie header for all future HTTP Requests: OctopusIdentificationToken=YP2CkrUPtWjMsv8lIABTYiBwim%2bMXuJ1ekoxasH5Rv6xPGmtoSH0JW9973xLE7Ex

Octopus 3.3.3 and Octopus 3.11.13 (latest) behave the same way.

To help others out in the future, do you think there is somewhere in our documentation you would have found this information?

Hope that helps!
Mike