server, ui: set HttpOnly: true and Secure flags on cookies
#119261
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This change is |
stevendanna
approved these changes
Feb 20, 2024
There was a problem hiding this comment.
I think we should probably merge this as-is as it represents the code that was merged to release branches.
I still think it would be nice to follow up with a change in which al cookie creation goes through one function where it will be easier to audit in the future.
This change removes the ability of the DB Console JS code to read the `session` cookie from the browser by setting the `HttpOnly` flag to `true`. This change requires a modification of how the `TenantDropdown` components works since it relied on reading the `session` cookie and extracting the list of logged-in tenants from it. Instead of reading the cookie, the component now relies on a server- side endpoint to "read back" the list of tenants in the session. You might ask why this is necessary because we could return the list of valid tenants on `/login` success and have them available outright. There is a reason why that's not sufficient. When you are logged in to multiple tenants with a valid session, you can switch between them in the dropdown switcher. This switch occurs without a subsequent call to `/login`, and will just set the `tenant` cookie to the new tenant name and issue a full refresh to the browser which will re-render everything. In this case, the `TenantDropdown` component gets fully re-rendered but no longer has access to the state it was initialized with containing all the valid tenants. This necessitates adding an endpoint that the component can use to populate itself directly whenever it's rendered. Epic: None Fixes: CRDB-36034 Release note (security update): DB Console `session` cookie is now marked `HttpOnly` to prevent it from being read by any Javascript code.
Cookie `Secure` setting is based on `disableTLSForHTTP` passed down from the server. Part of CRDB-36034 Epic: None Release note (security update): DB Console cookies are marked `Secure` for the browser when the cluster is running in secure mode.
dhartunian
force-pushed
the
master-cookie-settings-fixes
branch
from
a2220dd to
ad493f8
Compare
dhartunian
force-pushed
the
master-cookie-settings-fixes
branch
from
ad493f8 to
bced88d
Compare
|
bors r=stevendanna |
|
Build succeeded: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
server, ui: session cookie is HttpOnly
This change removes the ability of the DB Console JS code to read
the
sessioncookie from the browser by setting theHttpOnlyflagto
true.This change requires a modification of how the
TenantDropdowncomponents works since it relied on reading the
sessioncookie andextracting the list of logged-in tenants from it.
Instead of reading the cookie, the component now relies on a server-
side endpoint to "read back" the list of tenants in the session. You
might ask why this is necessary because we could return the list of
valid tenants on
/loginsuccess and have them available outright.There is a reason why that's not sufficient.
When you are logged in to multiple tenants with a valid session, you
can switch between them in the dropdown switcher. This switch occurs
without a subsequent call to
/login, and will just set thetenantcookie to the new tenant name and issue a full refresh to the browser
which will re-render everything. In this case, the
TenantDropdowncomponent gets fully re-rendered but no longer has access to the
state it was initialized with containing all the valid tenants. This
necessitates adding an endpoint that the component can use to populate
itself directly whenever it's rendered.
Epic: None
Fixes: CRDB-36034
Release note (security update): DB Console
sessioncookie is nowmarked
HttpOnlyto prevent it from being read by any Javascriptcode.
server: set Secure on cookies if cluster is secure
Cookie
Securesetting is based ondisableTLSForHTTPpassed downfrom the server.
Part of CRDB-36034
Epic: None
Release note (security update): DB Console cookies are marked
Securefor the browser when the cluster is running in secure mode.