designcourse icon indicating copy to clipboard operation
designcourse copied to clipboard

Published 20 hours ago • verified publisher icon leeper

💡 Enforce localstorage as session storage instead of cookie

Open szalonna opened this issue 1 year ago • 3 comments
trafficstars

Hello Datadog!

Currently RUM supports local storage as fallback session store when the client runs in an environment which does not meet the requirements for cookie handling and allowFallbackToLocalStorage enabled.

I would love to see an option where we can enforce local storage as session store independently if the platform is available to store a cookie or not.

Reason

Like mentioned in #590 and #1346 web application security reports mark the session cookie as a low priority finding as it is non-HTTP only. If we, as application developers, could enforce the storage strategy, we could address these findings not by just "ignoring" it. If the fallback strategy works as fine as the cookie one or if there are some known limitations between the two, we should be able to make this decision.

Possible implementation

  • Update InitConfiguration interface with a new flag like enforceToLocalStorage
  • Update selectSessionStoreStrategyType to check the enforceToLocalStorage flag before check if platform is able to handle cookies

szalonna avatar Jun 17 '24 11:06 szalonna

Thank you for your feedback. We'll take this into consideration!

BenoitZugmeyer avatar Jun 19 '24 10:06 BenoitZugmeyer

I'm including this from our security department:

Our PCI scanning vendor (Qualys) mark the session cookie as a medium priority finding as it is missing HTTPOnly and secure attribute. This is a client-side cookie for which these attributes cannot be set, since the Datadog tool needs to actually inspect the cookie. Further, the cookie does not contain any sensitive information related to payment cards which PCI is concerned about. For these reasons, this finding creates an unnecessary hurdle in allowing us to pass our scans, Right now the workaround to get the scan to pass is by providing an explanation to Qualys as to why they should ignore it. This is not ideal because this would need to be done on every scan and becomes a burden on us for no good reason. So the ideal solution would be for Datadog to use localstorage instead of using a cookie, as mentioned in this issue.

We would like to continue using DataDog's RUM product, so please advise on an ETA for this.

Thank you.

keenan-v1 avatar Jul 16 '24 19:07 keenan-v1

+1 on this for same reasons above

BMacLinden avatar Jul 16 '24 20:07 BMacLinden

@BenoitZugmeyer Is there any way to disable datadog's cookie at all? I would like to use proxy so I do not need any cookies

alexeychikk avatar Nov 19 '24 15:11 alexeychikk

In RUM and Logs Browser SDK latest release (5.35.0) we introduced a new sessionPersistence initialization parameter that allows you to specify either cookie or local-storage to store the session information.

BenoitZugmeyer avatar Jan 10 '25 17:01 BenoitZugmeyer