Project

General

Profile

Support #6593

WtTestCookie: why is this cookie set by Wt?

Added by Stefan Ruppert about 4 years ago. Updated about 2 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
09/06/2018
Due date:
% Done:

0%

Estimated time:

Description

Hi,

I'm wondering for what purpose this cookie is used by Wt? In Boot.js a comment indicates that it is used to check for server-side cookie support, but I can't find an appropriate C code. Is it really needed? If yes is it possible to remove the cookie after the tests are finished?

Our Wt based web applications should only set cookies if really needed (such as the session-id cookie...)!

Regards,

Stefan

#1

Updated by Roel Standaert about 4 years ago

Yeah, it's supposed to check for cookie support, but I'll have to ask how that works exactly.

In any case, if it's an issue for you, you can disable it with <cookie-checks>false</cookie-checks> in your wt_config.xml.

#2

Updated by Stefan Ruppert about 4 years ago

Roel Standaert wrote:

Yeah, it's supposed to check for cookie support, but I'll have to ask how that works exactly.

In any case, if it's an issue for you, you can disable it with <cookie-checks>false</cookie-checks> in your wt_config.xml.

Hi Roel,

I tested already disabling cookie-checks using wt_config. But after this the session id is always passed using URL parameter wtd. But we need to use the session id cookie! Requirement from our customer...

Regards,

Stefan

#3

Updated by Roel Standaert about 4 years ago

I see where it's used now. It's indeed being used to check whether there's cookie support. It's not checking whether there is exactly that cookie, just that there's a cookie. You can see that in WEnvironment.C, where doesCookies_ is being set.

In other words: this is necessary for the normal operation of the application, when you're using cookies for session tracking. Why is that a problem?

#4

Updated by Roel Standaert about 4 years ago

Note: the cookie is set to expire after 1 second when it is created.

#5

Updated by Roel Standaert about 4 years ago

  • Status changed from New to Feedback
#6

Updated by Stefan Ruppert about 4 years ago

Roel Standaert wrote:

I see where it's used now. It's indeed being used to check whether there's cookie support. It's not checking whether there is exactly that cookie, just that there's a cookie. You can see that in WEnvironment.C, where doesCookies_ is being set.

In other words: this is necessary for the normal operation of the application, when you're using cookies for session tracking. Why is that a problem?

Well our customer has restrict security requirements regarding cookies and I wanted to have only a session id cookie for our Wt based web application... For now I will wait if its a problem for our customer...

Regards,

Stefan

#7

Updated by Roel Standaert about 4 years ago

Well, you can tell this customer that there's no risk involved with the setting of this cookie. It's not a security sensitive cookie at all, and its use is only for technical reasons (testing cookie support). Note that if your customer has strict security concerns, you could also consider the Combined session tracking method.

Regards,

Roel

#8

Updated by Christian Meyer about 2 years ago

There is a warning in Firefox regarding that TestCookie and property SameSite attribute without "secure"

https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Cheers,
Christian

Also available in: Atom PDF