I implement the ignition project that use to provide api gateway on internet. after our IT-security use vulnerability scanner application. I get the vulnerability on this list.
First they told : Session token in URL
I think the problem is after we login or logout . igniton will generate url that contain session token. example url :
http:/myorganizedomain:8088/idp/default/authn/login?token=xxxx
Question : It is possible to hide this parameter to other way such as cookies or htmlstorage?
Second :Cookies with missing, inconsistent or contradictory properties.
Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and
sometimes unexpected defaults. It is therefore recommended to add a SameSite
attribute with an appropriate value of either “Strict”, “Lax”, or “None”
Question : How to enable cookies samesite on ignition ?
No, it is not possible. This is not a session token. It's a nonce with a short TTL used to orchestrate the handoff between the internal IdP's OIDC authorization endpoint and the authentication workflow and it is bound to your session which is tracked with a cookie. So long as you are using TLS, you do not have to worry about the session cookie leaking to a MITM. If the token gets logged somewhere, a bad actor would have to use this token immediately before the user consumes it, and they would also have to know your session ID to make use of the token, and at that point you have worse problems to solve.
Which cookies specifically? If it is the jsessionid cookie in Ignition, you can enable SameSite attribute by setting ignition.http.session.cookie.same-site.enabled system prop to true in ignition.conf as a wrapper.java.additional value and restart the gateway. By default, when enabled, the SameSite value will be set to Strict. This can be changed by setting system prop ignition.http.session.cookie.same-site.value to one of Strict, Lax, or None.