Hello,
SmartClient version: v9.1p_2014-03-11/EVAL
A preliminary penetration test against a SmartGWT application running under HTTPS highlighted the following cookie as an issue:
The testers raised concerns that the cookie did not have a) its Secure flag set and b) its HttpOnly flag set.
Can you confirm that this isc_cState is indeed a SmartClient cookie?
In order for me to answer concern a), does a mechanism exist within SmartClient to request cookies have their secure flag set?
I believe b) can be dismissed. Given SmartClient is a javascript framework, it can be suggested that the cookie cannot be HttpOnly as this would preclude its use by the framework.
Do any of the concerns raised have merit?
Appreciate your comments.
SmartClient version: v9.1p_2014-03-11/EVAL
A preliminary penetration test against a SmartGWT application running under HTTPS highlighted the following cookie as an issue:
Code:
isc_cState=ready; Path=/
Can you confirm that this isc_cState is indeed a SmartClient cookie?
In order for me to answer concern a), does a mechanism exist within SmartClient to request cookies have their secure flag set?
I believe b) can be dismissed. Given SmartClient is a javascript framework, it can be suggested that the cookie cannot be HttpOnly as this would preclude its use by the framework.
Do any of the concerns raised have merit?
Appreciate your comments.
Comment