Missing HTTPOnly and Secure Cookie Attribute with IM

search cancel

Missing HTTPOnly and Secure Cookie Attribute with IM

book

Article ID: 231975

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

Vulnerability Description:
It was observed that the HTTPOnly and Secure attributes are set to no in the session cookie of the application.

Impact:
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic.
If HttpOnly flag is not set for a given cookie then the cookie can be accessed via client-side scripts and thus may lead to exposure of sensitive information stored in the cookies to unintended parties.

Screenshot

Environment

Release : 14.4

Component : IdentityMinder(Identity Manager)

Cause

3rd Party Issue

Resolution

Refer to the following link with official info

https://access.redhat.com/solutions/3132781

In case you don't have RedHat subscription for Jboss, You can try the following

Edit standalone.xml

<subsystem xmlns="urn:jboss:domain:undertow:4.0">... <servlet-container name="default">... <session-cookie http-only="true" secure="true" /></servlet-container>...</subsystem>

and restart Jboss.

Attachments

Feedback

thumb_up Yes

thumb_down No