Make login-token cookie secure

Avatar

Avatar
Validate 1
Level 2
anujk4
Level 2

Likes

4 likes

Total Posts

20 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
View profile

Avatar
Validate 1
Level 2
anujk4
Level 2

Likes

4 likes

Total Posts

20 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
View profile
anujk4
Level 2

14-03-2019

When we try to access localhost:4502, a cookie is created by the name cq-authoring-mode. Upon successful authentication a new cookie is created by the name login-token. both the cookies mentioned above are not secure. Can we do some modification in AEM that will make these cookies secure?

Replies

Avatar

Avatar
Boost 250
MVP
Gaurav-Behl
MVP

Likes

250 likes

Total Posts

1,147 posts

Correct reply

283 solutions
Top badges earned
Boost 250
Establish
Give back 300
Give Back 50
Give Back 5
View profile

Avatar
Boost 250
MVP
Gaurav-Behl
MVP

Likes

250 likes

Total Posts

1,147 posts

Correct reply

283 solutions
Top badges earned
Boost 250
Establish
Give back 300
Give Back 50
Give Back 5
View profile
Gaurav-Behl
MVP

14-03-2019

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,442 likes

Total Posts

3,314 posts

Correct reply

941 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,442 likes

Total Posts

3,314 posts

Correct reply

941 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

14-03-2019

You can do similar like below

Update expired time for login-token cookie

https://www.tunetheweb.com/security/http-security-headers/secure-cookies/

Using Apache Http Mod_Header rewrite setcooke header of authentication response.

Add this line of code to apache configuration:

Header edit Set-Cookie ^(login-token | cq-authoring-mode)$ $1;HttpOnly;Secure

Avatar

Avatar
Validate 1
Level 2
anujk4
Level 2

Likes

4 likes

Total Posts

20 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
View profile

Avatar
Validate 1
Level 2
anujk4
Level 2

Likes

4 likes

Total Posts

20 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
View profile
anujk4
Level 2

15-03-2019

Hi Gaurav, thanks for your reply. I already tried what was mentioned in the link provided by you. I am getting below error. Any idea why?

1712212_pastedImage_0.png

Avatar

Avatar
Validate 1
Level 2
anujk4
Level 2

Likes

4 likes

Total Posts

20 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
View profile

Avatar
Validate 1
Level 2
anujk4
Level 2

Likes

4 likes

Total Posts

20 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
View profile
anujk4
Level 2

15-03-2019

Hi Arun, thanks for the response. we do not have apache setup on top of author. Author is accessible on 4502 port.

Also, there is one non prod AEM instance available that has a valid CA certificate. it is accessible over https. In one of the question asked here in the forum (AEM Session Cookie with httponly and secure flag ) it is mentioned that cookies are secure by default over https. On this instance too the cookies are not secured.

Am i missing something here??

Thanks

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,442 likes

Total Posts

3,314 posts

Correct reply

941 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,442 likes

Total Posts

3,314 posts

Correct reply

941 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

15-03-2019

Hi,

I think we overlooked into this, there is a configuration to enable secure cookie

How to enable secure cookies in AEM

But just FYI/FYK

You can try to make cookies secure using filters, you can check with cookies are not secure then make it to secure using java

aem63app-repo/DemoCookieFilter.java at master · arunpatidar02/aem63app-repo · GitHub

But If you want to make it over SSL, check below article-

Implementing SSL on AEM – OpsInventor

Avatar

Avatar
Validate 1
Level 2
anujk4
Level 2

Likes

4 likes

Total Posts

20 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
View profile

Avatar
Validate 1
Level 2
anujk4
Level 2

Likes

4 likes

Total Posts

20 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
View profile
anujk4
Level 2

15-03-2019

HI Arun,

Reference link 1: this only ensure the JSESSIONID cookie is made secure. And if it is made secure it will only be transferred over https and not on http. AEM needs to be enabled for SSL.

Reference link 2: Tried with DemoCookieFilter.java. I am making it secure: myCookie.setSecure(true); Now because AEM is not on https this cookie is not created. when i remove the above line, the cookie comes fine.

Reference link3: getting error while configuring ssl. Screenshot attached in response to other answer.

I tried creating self signed certificate using keytool and make the appropriate config in "Apache Felix Jetty based HTTP service". Checked the "enable HTTPS" mark and entered other relevant information and saved. I was able to access content on configured port (i used 5433 as port number) but chrome is marking it as unsecured.

1712331_pastedImage_0.png

And all cookies made secure using the filter class were not coming.

Thanks for your time.

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,442 likes

Total Posts

3,314 posts

Correct reply

941 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,442 likes

Total Posts

3,314 posts

Correct reply

941 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

15-03-2019

Hi,

I'll try filter code to make cookies secure and get back to you.

The Not secure warning comes when your certificates are not valid or trusted, because you used self signed certificate.

Quick question - did you manage to make cookies secure by enabling https?

Avatar

Avatar
Validate 1
Level 2
anujk4
Level 2

Likes

4 likes

Total Posts

20 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
View profile

Avatar
Validate 1
Level 2
anujk4
Level 2

Likes

4 likes

Total Posts

20 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
View profile
anujk4
Level 2

15-03-2019

No Arun. Still no luck with AEM work on https on local.

I will try to test the filter class code on one of the non prod environments that is available over https and get back to you.

Thanks.

Avatar

Avatar
Boost 250
MVP
Gaurav-Behl
MVP

Likes

250 likes

Total Posts

1,147 posts

Correct reply

283 solutions
Top badges earned
Boost 250
Establish
Give back 300
Give Back 50
Give Back 5
View profile

Avatar
Boost 250
MVP
Gaurav-Behl
MVP

Likes

250 likes

Total Posts

1,147 posts

Correct reply

283 solutions
Top badges earned
Boost 250
Establish
Give back 300
Give Back 50
Give Back 5
View profile
Gaurav-Behl
MVP

15-03-2019

If you follow the steps exactly, it would work fine. I've it running in my local w/o any issue.

What did you specify as hostname?

If you've specified a different hostname than localhost, make sure you've an entry in /etc/hosts or hosts file of WIN