No announcement yet.
  • Filter
  • Time
Clear All
new posts

    Cookie isc_cState - Vulnerability


    We are using Power Edition 4.1p.

    Qualys Scanner detected below two vulnerability for cookie "isc_cState"

    150122 Cookie Does Not Contain The "secure" Attribute
    150123 Cookie Does Not Contain The "HTTPOnly" Attribute (1)

    Both are related to cookie "isc_cState".

    I found in the forum (
    "These cookies do not contain secure information. There is no issue here; security scanners point out spurious vulnerabilities more often than not."

    Is there anyway to fix this issue or is this fixed in any latest version ?


    There is no fix because there is no issue.


      Hi ,

      Thanks for your reply.
      The scanner is finding as the issue for cookie "isc_cState". We will need to close this issue.
      Can you please guide us to make it Secure and HTTPOnly?



        Again, there is no need for this cookie to be modified, there is no security vulnerability here.

        Your scanner is simply producing a bogus result. The majority of security problems identified with scanners are bogus and could never be exploited.

        If you try to close every issue raised by a security scanner you will spend all your time doing that, and you will have accomplished nothing.


          We just had the same false positive result on a customer scan.

          These kind of automated scanning is becoming more and more common even though it cannot make the distinction between actual issues and the false positive represented by this cookie.
          Nevertheless this is the reality of things and we need to deal with that.

          An argument could be made that setting the secure flag to this cookie whenever we are using a secure connection could be the most efficient way to save a lot of people a ton of time. Think about how many of your customers have to go through that long list of mostly bogus security issues, analyze every one of them, and flag the bad ones.

          Adding that flag would save everyone time, give a greater perception of security, and help us accomplish things.


            On this particular issue, we recently made a change in 13.0 that should stop security scanners from reporting this as a bogus security issue.

            However, it remains the case that security scanners will flag hundreds of bogus issues, not just bogus issues related to cookies, and there's really nothing we can do about people using tools in a naive way. To save everyone's time, please consult a security professional before filing an issue. Thanks!