State management

Many applications involve passing state between pages or (RPC) requests. A developer needs to be aware when state is passed in such a way that the client can see or modify it (eg. URL variables, cookies, REST parameters) and take proper precautions to prevent leakage of data or unauthorized access to a website or system.

WebHare offers some APIs to help encrypt these values when they are passed 'through' a client but even with encryption you should be careful of 'replay' attacks where the client reuses an encrypted value without having to actually understand it - you might not be able to read the session cookie you stole from a sysop, but it may still provide you with the same access if you can use it.

Cookies and (URL) variables

Cookies should have the httponly and secure flags whenever possible (%UpdateWebCookie already sets 'httponly' by default). Avoid Javascript-readable cookies even if they do not contain any sensitive data at all - it will save you from having to explain their harmlessness during a security audit.

You can ask UpdateWebCookie for an encrypted cookie (which can be read using  %GetDecryptedWebCookie) but you will still need to be careful about replay attacks by whoever holds their value.

Further tips

• Do not consider a WRD_GUID by itself to be proof of anything - they are too easily leaked. If you need a secure way to identify a WRD entity, encrypt the guid
• Scopes for %EncryptForThisServer must be unique for each different use, attackers may try to inject an encrypted token into a different scope to see if anything can be learned from it.
• Do not worry about variable being passed between screens inside a Tollium application - unlike RPC calls, data passed in function calls inside a tollium (eg the data passed to a LoadScreen/RunScreen) is not available to a client.