Information about __test cookie

I can't seem to locate any documentation about the __test cookie that is created after login to TeamCity 8.1.5 (and previous versions as well). We have a requirement for all cookies to expire at the end of a session and for all cookies to be created with the secure flag set, so I am trying to figure out if it is possible to make those changes. So far, I haven't even been able to locate where that cookie is getting created so I can determine if such changes are even possible. Any help in pointing me to documentation of the cookie would be helpful.

3 comments
Comment actions Permalink

Hi Rob,

It is not recommended to configure privacy access on TeamCity side. It should be configured on network administration level. We would recommend you to configure corporate browser privacy settings (for example for Chrome) or configure authentication in TeamCity (for example NTLM).

0
Comment actions Permalink

I appreciate the response, but I am fairly certain it is not possible for a client to make a persistent cookie expire at the end of a session. About the closest a client could come is manually deleting the cookie. Blocking cookies is not an option for us, so we simply are looking for a way to make the cookie secure and to expire it at the end of the session. We already have authentication configured, but we try to secure our applications against all known vulnerabilities when possible.

To give more perspective, we scan all web enabled applications for vulnerabilities and the ability to tamper with cookies is pretty common (http://www.infosectoday.com/Articles/Cookie_Tampering.htm). The jsessionid cookie fills the role of managing the session and it is secure though I can't recall if we secured it or if it was secured since installation. I don't believe that TeamCity is using the __test cookie to persist any session information that should be secured. Even so, we'd like to find out more about the __test cookie like what it is used for and where/when it is getting created.

0
Comment actions Permalink

We are in the same situation. We have a tool that scans for security vulnerabilities and it also found that this cookie does not have the http and secure attributes.

Is there any way to remove it or make it HttpOnly and required SSL?

I've checked in the latest version and it is still there? (I also tried modifying the following settings with no luck

* in conf/context -> set useHttpOnly="true" in the Context node

* in conf/server.xml -> set the port 80 connector property secure="true"


I expected the _test cookie to have the HTTP and Secure flags once the settings above were set to true and the server restarted

Thanks

0

Please sign in to leave a comment.