Hi everyone,
I tried to deploy bonita portal in our infrastructure where the flag httpOnly is force to the cookie in our frontend. To have more information on this flag, here is some documentation :
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#httponly-attribute
See below the frontal configuration that set the cookie (if I remove this part everything works normally) :
Header edit Set-Cookie "(?i)^(.*);[\s]*HttpOnly[\s]*(.*)$" "$1$2" Header edit Set-Cookie (.*) "$1; HttpOnly"
I think that there is an issue when the flag httpOnly is set in the cookie during authentification on the portal. Because when this flag is set on the cookie, we loose the X-Bonita-API-Token header containing the token and all requests made from the portal that required this token failed (error 401 due to absence of the token). I don't know where this header is setup but maybe something goes wrong when the cookie is parsed in this case ?
Can anyone can confirm the problem or tell me where to report this issue ?
Best,
Leo.