Missing HttpOnly and Secure Cookie flags for SiteMinder Cookies
search cancel

Missing HttpOnly and Secure Cookie flags for SiteMinder Cookies


Article ID: 10583


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER


How to configure SiteMinder to set HttpOnly and secure cookie flags

HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of a client-side script accessing the protected cookie (if the browser supports it).

  • The example below shows the syntax used within the HTTP response header:
Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]

If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through a client-side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party


The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.

To accomplish this goal, browsers that support the secure flag will only send cookies with the secure flag when the request is going to an HTTPS page. Said in another way, the browser will not send a cookie with the secure flag set over an unencrypted HTTP request.

By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.


Web Agent :r12.X


This can be mitigated by setting the following ACO parameter to YES:




Instructs the Web Agent to set the HTTP-only attribute on the cookies it creates. When a Web Agent returns a cookie with this attribute to a user's browser, the contents of the cookie cannot be read by a script, even a script from the website that originally set the cookie. This helps prevent any sensitive information in the cookie from being sent to an unauthorized third party through a script.


Default: No


To safeguard the information in cookies, set the value of the UseHTTPOnlyCookies parameter to yes.




Sends cookies to web servers using secure (HTTPS) connections. Enable this parameter to increase security between browsers and web servers.


When this setting is enabled, users in single sign-on environments who move from an SSL web server to a non-SSL web server will have to re-authenticate. Secure cookies cannot be passed over traditional HTTP connections.


Default: No


To send cookies over SSL connections, set the UseSecureCookies parameter to yes.

Additional Information

SiteMinder Browser Cookies