SUPPORT / SAMPLES & SAS NOTES
Problem Note 69181: SASLogon does not set the HttpOnly attribute to a session cookie
 |  |  |  |
Severity: Medium
Description: The SASLogon application in SAS® 9.4 does not set the HttpOnly attribute to a session cookie (CASTGC cookie).
Potential Impact: The session ID in the cookie might be read by JavaScript if an XSS flaw exists.
As a workaround, you can follow these steps to enable the HttpOnly attribute:
- Open the SAS-configuration-directory/Lev1/Web/WebAppServer/SASServer1_1/sas_webapps/sas.svcs.logon.war/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml file in a text editor.
- Add the p:cookieHttpOnly="true" attribute to the <bean id="ticketGrantingTicketCookieGenerator"> directive as shown below, and save the file:
<bean id="ticketGrantingTicketCookieGenerator"
class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieHttpOnly="true"
p:cookieSecure="false"
p:cookieMaxAge="-1"
p:cookieName="CASTGC"
p:cookiePath="/SASLogon" />
class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieHttpOnly="true"
p:cookieSecure="false"
p:cookieMaxAge="-1"
p:cookieName="CASTGC"
p:cookiePath="/SASLogon" />
- Restart the SAS Web Application Server instances.
This issue is fixed in SAS® 9.4M8 (TS1M8). A hot fix is not planned for SAS® 9.4M7 (TS1M7) and earlier maintenance releases.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Web Infrastructure Platform | Microsoft® Windows® for x64 | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 |
| 64-bit Enabled AIX | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 | ||
| 64-bit Enabled Solaris | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 | ||
| HP-UX IPF | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 | ||
| Linux for x64 | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 | ||
| Solaris for x64 | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 | ||