Secure ntopng cookies with SameSite and HttpOnly

HttpOnly prevents the cookie from being accessed by javascript code and restricts XMLHttpObject utilization. See https://blog.codinghorror.com/protecting-your-cookies-httponly/ . SameSite=lax restricts cookie utilization in iframes, images or XMLHttpRequests, but still allows external sites to link to the ntopng webserver and use the existing authenticated user session. See https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ .
2026-04-29 15:39:33 +00:00 · 2018-05-16 11:43:23 +02:00 · 2018-05-16 11:43:23 +02:00 · a70dce4301
commit a70dce4301
parent 24faaa0e20
5 changed files with 27 additions and 6 deletions
--- a/scripts/lua/modules/lua_utils.lua
+++ b/scripts/lua/modules/lua_utils.lua
@ -143,6 +143,7 @@ function __LINE__() return debug.getinfo(2, 'l').currentline end

 function sendHTTPHeaderIfName(mime, ifname, maxage, content_disposition, extra_headers)
  info = ntop.getInfo(false)
+  local cookie_attr = ntop.getCookieAttributes()

  print('HTTP/1.1 200 OK\r\n')
  print('Cache-Control: max-age=0, no-cache, no-store\r\n')
@ -150,8 +151,8 @@ function sendHTTPHeaderIfName(mime, ifname, maxage, content_disposition, extra_h
  print('Pragma: no-cache\r\n')
  print('X-Frame-Options: DENY\r\n')
  print('X-Content-Type-Options: nosniff\r\n')
-  if(_SESSION ~= nil) then print('Set-Cookie: session='.._SESSION["session"]..'; max-age=' .. maxage .. '; path=/; HttpOnly\r\n') end
-  if(ifname ~= nil) then print('Set-Cookie: ifname=' .. ifname .. '; path=/\r\n') end
+  if(_SESSION ~= nil) then print('Set-Cookie: session='.._SESSION["session"]..'; max-age=' .. maxage .. '; path=/; ' .. cookie_attr .. '\r\n') end
+  if(ifname ~= nil) then print('Set-Cookie: ifname=' .. ifname .. '; path=/' .. cookie_attr .. '\r\n') end
  print('Content-Type: '.. mime ..'\r\n')
  if(content_disposition ~= nil) then print('Content-Disposition: '..content_disposition..'\r\n') end
  if type(extra_headers) == "table" then