Could the sessionId cookie be made httpOnly to avoid potential XSS?

[Loki-Afro]

Is your feature request related to a problem? Please describe.
Currently the sessionId can not be made httpOnly

Describe the solution you'd like
sessionId to be made httpOnly

Describe alternatives you've considered
going the oauth route might not be worth it and might be affected too?

documentation I found https://docs.etherpad.org/cookies.html

[SamTV12345]

I'll check. How did you verify that the cookie can't be made httpOnly? Did you use any plugins?

[Loki-Afro]

hey @SamTV12345 i briefly checked the code and saw some discussion somewhere

i do not use any plugins.

code like this for example: https://github.com/ether/etherpad-lite/blob/45a906e19dae2ba17190b412e557b2912b999992/src/static/js/timeslider.ts#L104 makes it currently not possible as far as i understand

[SamTV12345]

Yeah then it's hard. I'll check if it is possible. First impression is that I have to check all the other plugins too before doing this change or I do a flag for people who want to enable it.

[SamTV12345]

I just checked. It is not feasable. We use socket.io for sending messages around. In order for the server to access the cookie you need something like a post request with the cookie but it's socket.io i.e. we need some JavaScript to send the message and the JavaScript needs access to the sessionId.

[Loki-Afro]

@SamTV12345 haven't looked so deeply into the code but isn't this approach feasible: https://stackoverflow.com/a/73338844/1248724 ?

in another project ... we are using socket.io as well, we have also have a httpOnly session cookie.

[JohnMcLear]

Looked at this as a potential quick win and it's larger than it appears — noting here for the next person:

Etherpad has a few session-adjacent cookies, and each has a different story:

• express_sid (the express-session cookie, set in src/node/hooks/express.ts:216) is already httpOnly: true — that's the express-session default and we don't override it. Good as-is.
• token (author token, set client-side in src/static/js/pad.ts:266 and server-side in src/node/hooks/express/tokenTransfer.ts:43) is explicitly read by client JS (Cookies.get in pad.ts:263, timeslider.ts, and the token-transfer flow in welcome.ts:31). Making it HttpOnly would break those flows.
• sessionID (API group-session cookie) is read by client JS in src/static/js/pad.ts:283 and sent back to the server in the CLIENT_READY socket message. Making it HttpOnly requires reworking the handshake so the server reads it from the upgrade request cookies instead of from the message body. Doable but not a drive-by fix — it's a protocol change with backward-compat implications for integrators (MediaWiki etc.) who set this cookie themselves.

So the real scope here is a server-side sessionID refactor, not a cookie-flag flip. Worth doing, but not a quick win.

[copilot-swe-agent]

The agent encountered an error and was unable to start working on this issue: The service is temporarily unavailable. Please try again later. (Request id: D2EC:20373:2FE719:33E9EA:6A045140)