Stop TiP causing security warnings
Currently Testing in Production (TiP) can be used for two purposes: A/B testing or deploying multiple versions of the same website (eg. production and staging).
Some companies like us use TiP only for the second purpose, but as soon as we enable the feature, an additional cookie called "TiPMix" added to our website. The purpose of the cookie is enable A/B testing and help to decide which user should be randomly routed to which slot. We always route 100% of our traffic to the production slot, so no decision have to be made in our case thus we don't need this cookie. (If we want to use the staging slot then we use the x-ms-routing-name query parameter + cookie as the slots feature does NOT depend on the TiPMix cookie).
Despite this cookie is only used server-side by Azure and we only use HTTPS endpoints, the cookie is not set to be Secure, nor HTTPOnly. This causes our website fail on tests by several security scanners:
I attached sample screenshots of the results of these scanners.
Please notice on the screenshots that almost everything else is configured correctly, only TiP causing problems on our website (the scan was executed on a test website configured similarly to our production website).
One of the possible solutions to this issue is not to send TiPMix cookie if 100% of the traffic is redirected to the same slot. It does not require any UI modification on the Azure portal and hopefully does not change the behavior of the A/B testing as 100% of the traffic would go into the same slot regardless the value of the TiPMix cookie. In an optimal case it's basically an additional if condition in "should I send the TiPMix cookie" code: if there is only one 100% slot (everything else is 0%) then do not add the cookie.
Other solution is to add HTTPOnly flag as you only use this cookie from server-side and accessing this cookie from JS is AFAIK not supported anyway. Also add an option to turn on the Secure flag somehow. The latter would probably require UI change, that's why I prefer the first option mentioned above.
To summarize: it would be good if TiP could be configured (or better: set up by default) in a way that does not cause security warnings (or even security risks in some edgecases).
We’re happy to share that we’ve launched a solution into production a couple weeks ago.
We added the HttpOnly; tag to the TipMix cookie.
If you encounter any issues, please engage with our support group through a support ticket or on Twitter: @AzureSupport.
Tamás Koczka commented
Thanks for the change, it works well!
Although the cookie is still not Secure and I presume it's not configurable to be secure. So it's kind of only half of the solution, but definitely a move to the good direction.
With a properly set up HSTS hopefully there won't be any incidental information leakage due to Azure is still sending the cookie unencrypted via a HTTP connection if requested that way.
Tamás Koczka commented
Any news regarding this issue?