1

I have a web application deployed on WebSphere on a context root /app. Inside the application, there's a javascript which executes immediately after it's loaded, it looks something like this:

document.cookie = "foo=bar; path=/app";

setTimeout(function () {
    document.cookie = "baz=qux; path=/app";
}, 1000);

Chrome behavior

From the DevTools I can see that initially foo=bar is created as non-httpOnly and 1-2 seconds later it automatically becomes httpOnly. After waiting for 5 seconds or so (just to make sure), the second cookie is also created, but in non-httpOnly mode, the final result looks like this:

foo=bar (httpOnly=true)
baz=qux (httpOnly=false)

Q1: Why foo=bar becomes httpOnly after some time?

Q2: How come that this delayed cookie creation makes such a difference?

I can say that threshold is somewhere 700-800ms, if I delay cookie creation with less than this value, it behaves exactly as no delay at all.

Firefox behavior

Here in case of delay lower than a threshold (or without any setTimeout) it creates 2 cookies per kay,value pair, for example:

foo=bar; path=/app  (httpOnly=false)
foo=bar; path=/app/ (httpOnly=true)
baz=qux; path=/app  (httpOnly=false)
baz=qux; path=/app/ (httpOnly=true)

while in case of delay higher than a threshold, it does not create duplicate cookie (for baz=qux):

foo=bar; path=/app  (httpOnly=false)
foo=bar; path=/app/ (httpOnly=true)
baz=qux; path=/app  (httpOnly=false)

Q3: Not to mention why FF appends slash at the end (I've heard different browsers handle cookies differently), why it's not the case for delayed cookie creation?

I even thought that maybe there is a piece of script somewhere in the application which after some time "overwrites" non-httpOnly cookies to httpOnly one, but I don't think that's the case, because executing this from the console does not change anything:

document.cookie="baz=qux; path=/app; HttpOnly"

i.e. baz=qux remains as non-httpOnly. Some even claim that it's not possible

It's not a thing that server is resetting cookies to httpOnly via responses, I've checked each and every request in network view and these cookies are not coming from the server.

I have a gut feeling that there must be something in this environment because I tried to create a separate Spring boot project with a similar setup and all the cookies remain non-httpOnly.

Any ideas? Unfortunately, I can't share the real code. If someone's able to explain at least theoretically what could be the cause, that would be really helpful.

Other notes:

  • This does not apply to cookies created with path=/
  • Chrome version: 75.0.3770.100
  • Firefox version: 67.0.4
  • I'm using incognito window without any extensions
tsobe
  • 179
  • 4
  • 14

1 Answers1

0

Ok, after a bit of further digging I think I've found the explanation

It's not a thing that server is resetting cookies to httpOnly via responses, I've checked each and every request in network view and these cookies are not coming from the server.

That's not entirely true, apparently, WebSphere was sending back the cookie with httpOnly flag set, probably this was due to the HTTPOnly flag. However, it was not always visible in the Chrome/Firefox DevTools network view. I remember only one case (out of several tens) when this was visible. Not sure why browsers weren't showing it consistently (even with hard refresh)

tsobe
  • 179
  • 4
  • 14