Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server, ui: set HttpOnly: true and Secure flags on cookies #119261

Merged
merged 2 commits into from Mar 4, 2024
Merged

server, ui: set HttpOnly: true and Secure flags on cookies #119261

merged 2 commits into from Mar 4, 2024

Conversation

dhartunian
Copy link
Collaborator

@dhartunian dhartunian commented Feb 15, 2024
edited by jlinder

server, ui: session cookie is HttpOnly

This change removes the ability of the DB Console JS code to read
the session cookie from the browser by setting the HttpOnly flag
to true.

This change requires a modification of how the TenantDropdown
components works since it relied on reading the session cookie and
extracting the list of logged-in tenants from it.

Instead of reading the cookie, the component now relies on a server-
side endpoint to "read back" the list of tenants in the session. You
might ask why this is necessary because we could return the list of
valid tenants on /login success and have them available outright.
There is a reason why that's not sufficient.

When you are logged in to multiple tenants with a valid session, you
can switch between them in the dropdown switcher. This switch occurs
without a subsequent call to /login, and will just set the tenant
cookie to the new tenant name and issue a full refresh to the browser
which will re-render everything. In this case, the TenantDropdown
component gets fully re-rendered but no longer has access to the
state it was initialized with containing all the valid tenants. This
necessitates adding an endpoint that the component can use to populate
itself directly whenever it's rendered.

Epic: None
Fixes: CRDB-36034

Release note (security update): DB Console session cookie is now
marked HttpOnly to prevent it from being read by any Javascript
code.

server: set Secure on cookies if cluster is secure

Cookie Secure setting is based on disableTLSForHTTP passed down
from the server.

Part of CRDB-36034
Epic: None

Release note (security update): DB Console cookies are marked Secure
for the browser when the cluster is running in secure mode.

@dhartunian dhartunian requested review from a team as code owners February 15, 2024 20:43
@cockroach-teamcity
Copy link
Member

This change is Reviewable

stevendanna
stevendanna approved these changes Feb 20, 2024
View reviewed changes
Copy link
Collaborator

@stevendanna stevendanna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should probably merge this as-is as it represents the code that was merged to release branches.

I still think it would be nice to follow up with a change in which al cookie creation goes through one function where it will be easier to audit in the future.

@dhartunian
server, ui: session cookie is HttpOnly
68a52dd 
This change removes the ability of the DB Console JS code to read
the `session` cookie from the browser by setting the `HttpOnly` flag
to `true`.

This change requires a modification of how the `TenantDropdown`
components works since it relied on reading the `session` cookie and
extracting the list of logged-in tenants from it.

Instead of reading the cookie, the component now relies on a server-
side endpoint to "read back" the list of tenants in the session. You
might ask why this is necessary because we could return the list of
valid tenants on `/login` success and have them available outright.
There is a reason why that's not sufficient.

When you are logged in to multiple tenants with a valid session, you
can switch between them in the dropdown switcher. This switch occurs
without a subsequent call to `/login`, and will just set the `tenant`
cookie to the new tenant name and issue a full refresh to the browser
which will re-render everything. In this case, the `TenantDropdown`
component gets fully re-rendered but no longer has access to the
state it was initialized with containing all the valid tenants. This
necessitates adding an endpoint that the component can use to populate
itself directly whenever it's rendered.

Epic: None
Fixes: CRDB-36034

Release note (security update): DB Console `session` cookie is now
marked `HttpOnly` to prevent it from being read by any Javascript
code.
@dhartunian
server: set Secure on cookies if cluster is secure
bced88d 
Cookie `Secure` setting is based on `disableTLSForHTTP` passed down
from the server.

Part of CRDB-36034
Epic: None

Release note (security update): DB Console cookies are marked `Secure`
for the browser when the cluster is running in secure mode.
@dhartunian dhartunian requested a review from a team as a code owner February 28, 2024 22:05
@dhartunian dhartunian mentioned this pull request Feb 28, 2024
Merged
@dhartunian
Copy link
Collaborator Author

bors r=stevendanna

@craig
Copy link
Contributor

craig bot commented Mar 4, 2024

Build succeeded:

@craig craig bot merged commit 9addf03 into cockroachdb:master Mar 4, 2024
15 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendanna stevendanna stevendanna approved these changes

@abarganier abarganier Awaiting requested review from abarganier

@xinhaoz xinhaoz Awaiting requested review from xinhaoz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dhartunian @cockroach-teamcity @stevendanna