Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow SameSite cookie attribute to be configured #11210

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

allow SameSite cookie attribute to be configured #11210

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
72b04fe
allow SameSite cookie attribute to be configured
pdurbin Feb 3, 2025
27b7fc4
typo #11210
pdurbin Feb 3, 2025
3c286ca
add release note #11210
pdurbin Feb 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions doc/release-notes/ds27-samesite-attr.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
### SameSite Cookie Attribute

The SameSite cookie attribute is defined in an upcoming revision to [RFC 6265](https://datatracker.ietf.org/doc/html/rfc6265) (HTTP State Management Mechanism) called [6265bis](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-19>) ("bis" meaning "repeated"). The possible values are "None", "Lax", and "Strict". "Strict" is intended to help prevent Cross-Site Request Forgery (CSRF) attacks, as described in the RFC proposal and an OWASP [cheetsheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute). "Lax" is a middle ground between "Strict" and "None".

New Dataverse installations are now set to "Lax" out of the box by the installer (in the case of a "classic" installation) or through an updated base image (in the case of a Docker installation). See upgrade instructions below.


See also [the guides](https://dataverse-guide--11210.org.readthedocs.build/en/11210/installation/config.html#samesite-cookie-attribute), https://github.com/IQSS/dataverse-security/issues/27 and #11210.

## Upgrade instructions

To bring your Dataverse installation in line with the new "Lax" (as opposed to "None") value described in [the guides](https://dataverse-guide--11210.org.readthedocs.build/en/11210/installation/config.html#samesite-cookie-attribute), we recommend running the following commands:
Copy link
Member

@qqmyers qqmyers Feb 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sounds like doing nothing means an installation would be using SameSite:None, but I think by default current installation are not sending anything, which is interpreted as 'Lax' by modern browsers. I.e. installations aren't less safe if they do nothing. Maybe 'To explicitly specify the Lax setting or to switch to Strict, you can use the following commands...' ? Perhaps we should also say 'The value 'None' should never be used with Dataverse.' ?

Same issue for the other docs - Lax is a way to make the current default explicit and None should never be used.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW: Not sure how you got a None for the Jessionid in the picture - I see no setting at all at QDR and on a test server. Could you have had the http.cookie-same-site-enabled=true already?


```
asadmin set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-value=Lax

./asadmin set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-enabled=true
```
12 changes: 12 additions & 0 deletions doc/sphinx-guides/source/container/base-image.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,18 @@ provides. These are mostly based on environment variables (very common with cont
- See :ref:`:ApplicationServerSettings` ``http.request-timeout-seconds``.

*Note:* can also be set using any other `MicroProfile Config Sources`_ available via ``dataverse.http.timeout``.
* - ``DATAVERSE_COOKIE_SAME_SITE_VALUE``
- ``Lax``
- String
- Can be set to ``Strict``, ``Lax``, or ``None``. See :ref:`samesite-cookie-attribute`, :ref:`:ApplicationServerSettings` :ref:`http.cookie-same-site-value` and `Payara docs <https://docs.payara.fish/community/docs/6.2024.6/Technical%20Documentation/Payara%20Server%20Documentation/General%20Administration/Administering%20HTTP%20Connectivity.html>`_.

*Note:* can also be set using any other `MicroProfile Config Sources`_ available via ``dataverse.cookie-same-site-value``.
* - ``DATAVERSE_COOKIE_SAME_SITE_ENABLED``
- ``1``
- Bool, ``0|1`` or ``false|true``
- See :ref:`samesite-cookie-attribute` and :ref:`:ApplicationServerSettings` :ref:`http.cookie-same-site-enabled`.

*Note:* can also be set using any other `MicroProfile Config Sources`_ available via ``dataverse.cookie-same-site-value``.
* - ``PAYARA_ADMIN_PASSWORD``
- ``admin``
- String
Expand Down
35 changes: 35 additions & 0 deletions doc/sphinx-guides/source/installation/config.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,15 @@ Password complexity rules for "builtin" accounts can be adjusted with a variety
- :ref:`:PVGoodStrength`
- :ref:`:PVCustomPasswordResetAlertMessage`

.. _samesite-cookie-attribute:

SameSite Cookie Attribute
^^^^^^^^^^^^^^^^^^^^^^^^^

The SameSite cookie attribute is defined in an upcoming revision to `RFC 6265 <https://datatracker.ietf.org/doc/html/rfc6265>`_ (HTTP State Management Mechanism) called `6265bis <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-19>`_ ("bis" meaning "repeated"). The possible values are "None", "Lax", and "Strict". "Strict" is intended to help prevent Cross-Site Request Forgery (CSRF) attacks, as described in the RFC proposal and an OWASP `cheetsheet <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute>`_. "Lax" is a middle ground between "Strict" and "None".

Dataverse installations are set to "Lax" out of the box by the installer (in the case of a "classic" installation) or through the base image (in the case of a Docker installation). For classic, see :ref:`http.cookie-same-site-value` and :ref:`http.cookie-same-site-enabled` for how to change the values. For Docker, see :ref:`base-tunables`. By default, Payara uses "None". See also Payara's `documentation <https://docs.payara.fish/community/docs/6.2024.6/Technical%20Documentation/Payara%20Server%20Documentation/General%20Administration/Administering%20HTTP%20Connectivity.html>`_ for the settings above.

.. _ongoing-security:

Ongoing Security of Your Installation
Expand Down Expand Up @@ -3385,6 +3394,32 @@ To facilitate large file upload and download, the Dataverse Software installer b

and restart Payara to apply your change.

.. _http.cookie-same-site-value:

http.cookie-same-site-value
++++++++++++++++++++++++++++

See :ref:`samesite-cookie-attribute` for context.

The Dataverse installer configures the Payara **server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-value** setting to "Lax". From `Payara's documentation <https://docs.payara.fish/community/docs/6.2024.6/Technical%20Documentation/Payara%20Server%20Documentation/General%20Administration/Administering%20HTTP%20Connectivity.html>`_, the other possible values are "Strict" or "None". To change this to "Strict", for example, you could run the following command...
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The value for this appears to do nothing if the http.cookie-same-site-enabled isn't set to true.

Conversely, setting http.cookie-same-site-enabled=true without setting this one ends up sending None as the default which is worse than not having a SameSite setting at all. I think the docs should warn people about these issues.


``./asadmin set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-value=Strict``

... and restart Payara to apply your change.

.. _http.cookie-same-site-enabled:

http.cookie-same-site-enabled
+++++++++++++++++++++++++++++

See :ref:`samesite-cookie-attribute` for context.

The Dataverse installer configures the Payara **server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-enabled** setting to true. To change this to false, you could run the following command...

``./asadmin set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-enabled=true``

... and restart Payara to apply your change.

mp.config.profile
+++++++++++++++++

Expand Down
3 changes: 3 additions & 0 deletions modules/container-base/src/main/docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,9 @@ RUN <<EOF
${ASADMIN} set server-config.network-config.protocols.protocol.http-listener-2.http.file-cache.enabled="true"
${ASADMIN} set default-config.network-config.protocols.protocol.http-listener-1.http.file-cache.enabled="true"
${ASADMIN} set default-config.network-config.protocols.protocol.http-listener-2.http.file-cache.enabled="true"
# Set SameSite cookie value: https://docs.payara.fish/community/docs/6.2024.6/Technical%20Documentation/Payara%20Server%20Documentation/General%20Administration/Administering%20HTTP%20Connectivity.html
${ASADMIN} set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-value="Lax"
${ASADMIN} set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-enabled="true"
# Disable the HTTPS listener (we are always fronting our appservers with a reverse proxy handling SSL)
${ASADMIN} set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-2.enabled="false"
# Enlarge and tune EJB pools (cannot do this for server-config as set does not create new entries)
Expand Down
4 changes: 4 additions & 0 deletions scripts/installer/as-setup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,10 @@ function preliminary_setup()
# bump the http-listener timeout from 900 to 3600
./asadmin $ASADMIN_OPTS set server-config.network-config.protocols.protocol.http-listener-1.http.request-timeout-seconds="${GLASSFISH_REQUEST_TIMEOUT}"

# Set SameSite cookie value: https://docs.payara.fish/community/docs/6.2024.6/Technical%20Documentation/Payara%20Server%20Documentation/General%20Administration/Administering%20HTTP%20Connectivity.html
./asadmin $ASADMIN_OPTS set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-value="Lax"
./asadmin $ASADMIN_OPTS set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-enabled="true"

# so we can front with apache httpd ( ProxyPass / ajp://localhost:8009/ )
./asadmin $ASADMIN_OPTS create-network-listener --protocol http-listener-1 --listenerport 8009 --jkenabled true jk-connector
}
Expand Down