Skip to content

ASFCUMULUS-845: Set additional security-related properties of session cookie #867

New issue
New issue
Closed
#866
Closed
ASFCUMULUS-845: Set additional security-related properties of session cookie#867
#866
Labels
enhancementNew feature or request
@asjohnston-asf

Description

@asjohnston-asf
asjohnston-asf
opened on Nov 19, 2025

To improve the security posture of TEA session management, a future release will implement the following properties for the session cookie vended by TEA (named asf-urs by default):

HttpOnly

A cookie with the HttpOnly attribute can't be accessed by JavaScript, for example using Document.cookie; it can only be accessed when it reaches the server. Cookies that persist user sessions for example should have the HttpOnly attribute set — it would be really insecure to make them available to JavaScript. This precaution helps mitigate cross-site scripting (XSS) attacks.

This change will have no impact on TEA deployments that restrict the domain of the session cookie to the TEA application, as TEA does not leverage javascript or any other client-side scripting.

This change may impact TEA deployments that set a wider domain for the session cookie. To my knowledge, only ASF TEA deployments are configured this way. Other front-end applications that attempt to interact with the session cookie via javascript may no longer function correctly, notably ASF Vertex (see asfadmin/Discovery-SearchUI#2360).

Secure

A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can't access it easily. Insecure sites (with http: in the URL) can't set cookies with the Secure attribute.

This change will have no functional impact, as TEA responds to requests over HTTP by redirecting the user to HTTPS.

SameSite=Lax

The SameSite attribute lets servers specify whether/when cookies are sent with cross-site requests ... This includes requests sent when links are clicked on other sites to navigate to your site ... Strict causes the browser to only send the cookie in response to requests originating from the cookie's origin site ... Lax is similar, except the browser also sends the cookie when the user navigates to the cookie's origin site (even if the user is coming from a different site) ... If no SameSite attribute is set, the cookie is treated as Lax by default.

TEA will explicitly set SameSite=Lax, but this change will have no functional impact, as Lax was already the default. Lax is the appropriate behavior for TEA deployments, as we want existing sessions to be recognized when users click a download link on a non-TEA site (e.g. Earthdata Search).

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions