Log in | Register
  1. Forum
  3. Discontinued Products
  5. JFBConnect v8.x Support (Joomla 3 Only) (CLOSED)
  7. jfbconnect triggering some modsecurity2 warnings

Topic-icon jfbconnect triggering some modsecurity2 warnings

Active Subscriptions:

None
11 years 11 months ago #44781 by raddams
I'm using apache2 with modsecurity2 - one of the base rules is generating a warning related to cookies:
Message: Warning. Pattern match "(.*?)=(?i)(?!.*secure.*)(.*$)" at RESPONSE_HEADERS:Set-Cookie. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "99"] [id "981185"] [msg "AppDefect: Missing Secure Cookie Flag for jfbconnect_permissions_granted."] [tag "WASCTC/WASC-15"] [tag "MISCONFIGURATION"] [tag "http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-secure-flag"]
Apache-Handler: application/x-httpd-php
Stopwatch: 1402701917017349 392900 (- - -)
Stopwatch2: 1402701917017349 392900; combined=2692, p1=980, p2=726, p3=334, p4=152, p5=341, sr=282, sw=159, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
Server: Apache
Engine-Mode: "ENABLED"

Note the site is running under SSL. I realize this is a warning, but could this be addressed in the next release if it's deemed to be something that should be there?
The topic has been locked.
Support Specialist
11 years 11 months ago #44813 by alzander
Hmmm.. Good question. Never had that asked before, but the solution should be pretty simple. The cookie that's being set really doesn't need to be secure at all. We don't set any cookies that have session information or anything else of value. That specific cookie simply holds what permissions from Facebook the user has granted. Not much a 'bad guy' could do with that.

However, to get rid of the error, you should be able to edit the /components/com_jfbconnect/includes/jfbconnect.js file. Search for the following line:
document.cookie = escape(sKey) + "=" + escape(sValue) + "; path=/";
Update that to:
document.cookie = escape(sKey) + "=" + escape(sValue) + "; secure; path=/";
That will force the cookie to only be set and read over a secure connection.

We'll have to see if there's a way we can do this automatically in the code. The problem is that most sites run in a mixed-mode of http/https or with no https at all. Also, our code (as mentioned) doesn't really need to secure that cookie.

I hope that gets you going for now though and, should you need anything else, just let us know.

Thanks,
Alex
The topic has been locked.
  1. Forum
  3. Discontinued Products
  5. JFBConnect v8.x Support (Joomla 3 Only) (CLOSED)
  7. jfbconnect triggering some modsecurity2 warnings
From the Blog
Facebook | Twitter | LinkedIn | Blog RSS