Discussion

Security Scan Issue: Cookie does not have HTTPOnly attribute.

Hello,

As part of a standard security scan with in out organization we found following vulnarability issues in the scan.

 

  1. Cookie does not have secure attribute.
  2. Cookie does not have HTTPOnly attribute.

For the first issue regarding Cookie does not have secure attribute we modified the prConfig.xml and add the below line <env value="true" name="HTTP/SetSecureCookie"/>, and it fixed the issue. But this setting had some issues with the PRBasic authentication so we did this change only in PROD environment as only SSO is used over there.

 

Now what can we do to fix the second issue about HTTPonly attribute, is it something that we need to set in prConfig, and what are the side effects of that if any (as in case of Secure attribute for PRBasic).

 

Thanks,

Pradeep

**Moderation Team has archived post**

This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.

Comments

Keep up to date on this post and subscribe to comments

August 1, 2014 - 5:12pm

This is solved, These are being set for one SaneID cookie which is not part of our application. Thanks.

March 11, 2015 - 10:37am

in general it should be part of deployment descriptor file i.e web.xml file.  And the draw back is if we set  http-only is true then pega out of box functions like Excel , office integrationd dont work when use LOAD BALANCER .

 

if we set through environment varible using prconfig.xml file  we observe cross site scripting issues, unsecured sessions in certain scnerios .

 

  <session-config>
        <session-timeout>300</session-timeout>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
        </cookie-config>
    </session-config>

Please let me know if my understanding is wrong.

 

Regards,

Chandrasekhar Bhagath.