Support #6593
openWtTestCookie: why is this cookie set by Wt?
0%
Description
Hi,
I'm wondering for what purpose this cookie is used by Wt? In Boot.js a comment indicates that it is used to check for server-side cookie support, but I can't find an appropriate C code. Is it really needed? If yes is it possible to remove the cookie after the tests are finished?
Our Wt based web applications should only set cookies if really needed (such as the session-id cookie...)!
Regards,
Stefan
Updated by Roel Standaert over 6 years ago
Yeah, it's supposed to check for cookie support, but I'll have to ask how that works exactly.
In any case, if it's an issue for you, you can disable it with <cookie-checks>false</cookie-checks>
in your wt_config.xml
.
Updated by Stefan Ruppert over 6 years ago
Roel Standaert wrote:
Yeah, it's supposed to check for cookie support, but I'll have to ask how that works exactly.
In any case, if it's an issue for you, you can disable it with
<cookie-checks>false</cookie-checks>
in yourwt_config.xml
.
Hi Roel,
I tested already disabling cookie-checks using wt_config. But after this the session id is always passed using URL parameter wtd. But we need to use the session id cookie! Requirement from our customer...
Regards,
Stefan
Updated by Roel Standaert over 6 years ago
I see where it's used now. It's indeed being used to check whether there's cookie support. It's not checking whether there is exactly that cookie, just that there's a cookie. You can see that in WEnvironment.C
, where doesCookies_
is being set.
In other words: this is necessary for the normal operation of the application, when you're using cookies for session tracking. Why is that a problem?
Updated by Roel Standaert over 6 years ago
Note: the cookie is set to expire after 1 second when it is created.
Updated by Stefan Ruppert over 6 years ago
Roel Standaert wrote:
I see where it's used now. It's indeed being used to check whether there's cookie support. It's not checking whether there is exactly that cookie, just that there's a cookie. You can see that in
WEnvironment.C
, wheredoesCookies_
is being set.In other words: this is necessary for the normal operation of the application, when you're using cookies for session tracking. Why is that a problem?
Well our customer has restrict security requirements regarding cookies and I wanted to have only a session id cookie for our Wt based web application... For now I will wait if its a problem for our customer...
Regards,
Stefan
Updated by Roel Standaert over 6 years ago
Well, you can tell this customer that there's no risk involved with the setting of this cookie. It's not a security sensitive cookie at all, and its use is only for technical reasons (testing cookie support). Note that if your customer has strict security concerns, you could also consider the Combined
session tracking method.
Regards,
Roel
Updated by Christian Meyer about 4 years ago
There is a warning in Firefox regarding that TestCookie and property SameSite attribute without "secure"
https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Cheers,
Christian