Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

The cookie does not contain the "HTTPOnly" attribute.

vvskaladhar_488
Nimbostratus
Nimbostratus

‎26-Jan-2017 22:14

Hi All, we got vulnerability as below in our vulnerability scan

 

Threat The cookie does not contain the "HTTPOnly" attribute.

 

Impact Cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user impersonation or compromise of the application account.

 

Solution If the associated risk of a compromised account is high, apply the "HTTPOnly" attribute to cookies.

 

But We need both the HTTPOnly and Secure flags set on the cookies. can you please let me know if this can be achieved if i made the setting http only on the cookie ? or please suggest me if any thing else need to be taken care

 

Labels:
0 Kudos
2 REPLIES 2

vvskaladhar_488
Nimbostratus
Nimbostratus

‎26-Jan-2017 22:26

Hi All,

 

As per my understanding "HTTPOnly" attribute to cookies can be inserted Only by using ASM as I dont see this option in LTM . please let me know if there is any way to solve above vulnerability.

 

0 Kudos

Maneesh_72711
Cirrostratus
Cirrostratus

‎26-Jan-2017 22:52

Check this one from Aaron. https://devcentral.f5.com/questions/cookie-persistence-sendfor-http-only

 

0 Kudos
Copyright © 2023 Khoros, LLC