No announcement yet.
  • Filter
  • Time
Clear All
new posts

  • HTTPOnly cookie attribute security


    One of our users is using a security scanner to scan our application. The report came back with these vulnerabilities:

    isc_cState Cookie has problem(s)​:
    Cookie does not have HTTPOnly attribute.

    GLog Cookie has problem(s):
    1) Cookie does not have secure attribute.
    2) Cookie does not have HTTPOnly attribute.

    Remediation Tips:

    Insecure Cookies: For security of sensitive information, cookies must be marked as secure and only be transmitted if the communications
    channel with the host is a secure one. Servers should use SSL in this case.

    HTTPOnly Cookies: To avoid access and manipulation of cookies in the script, the HTTPOnly attribute should be set for the cookie.

    ​I'm wondering if you have a newer version with these issues addressed, e.g. tracking isc_cState, GLog with javascript variable instead of cookies.

  • #2
    These cookies do not contain secure information. There is no issue here; security scanners point out spurious vulnerabilities more often than not.