1 Reply Latest reply on Jan 31, 2013 1:59 PM by jochen

    Setting non-HttpOnly Cookies in Jive 6


      Hi there,


      We have been working on a 3rd party integration recently. The 3rd party provides two SDKs, one for Java and one for Javascript. We are mainly using the JS one, particularly to pull widgets from the 3rd party. The Java SDK we are only using to make an initial authentication call on the backend (for security reasons). After that call has been made, we are receiving a cookie name and value from the 3rd party which we use to set the auth cookie required to pull widgets via the JS API.


      According to the documentation, our problem is that


      Starting with Jive version 4.5.7, all Jive cookies that are set by the server (not via the client or browser) have the HttpOnly flag.


      Since that flag is set, the JS SDK does not pick up the cookie, and hence our calls to the 3rd party fail as unauthorized. Some research shows that Jive is setting the HttpOnly flag via an Apache rewrite rule. We are in touch with hosting to see if the rewrite rule can be altered to set the required cookie as non-HttpOnly. However, since this seems like a fairly generic pain point, we are curious to hear the community's thoughts on this. Has anyone out there run into this problem before, and if so were you able to address the issue without involving hosting and changing the Apache configuration?




        • Re: Setting non-HttpOnly Cookies in Jive 6

          For future reference: We were unable to identify alternative approaches, so we ended up having hosting adjust the Apache configuration in both UAT and PRO environments. With the change they made, we are now able to set the cookie without the httpOnly flag being set. Apache supports both hard-coded cookie names as well as cookie name patterns, which was helpful in our case since the name of the cookie we are dealing with is auto-generated but stays within a defined naming convention.