Symantec Identity Manager / Suite - Missing HTTPOnly and Secure Cookie Attribute with IM
search cancel

Symantec Identity Manager / Suite - Missing HTTPOnly and Secure Cookie Attribute with IM


Article ID: 231975


Updated On:


CA Identity Manager CA Identity Suite


Vulnerability Description:
It was observed that the HTTPOnly and Secure attributes are set to no in the session cookie of the application.

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic.
If HttpOnly flag is not set for a given cookie then the cookie can be accessed via client-side scripts and thus may lead to exposure of sensitive information stored in the cookies to unintended parties.



Release : 14.4, 14.5

Component : Identity Manager


3rd Party Issue


Identity Manager / Identity Portal / Identity Governance Standalone:

Edit standalone.xml being used. (Example: standalone-full-ha.xml)

<subsystem xmlns="urn:jboss:domain:undertow:8.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" instance-id="${}" default-security-domain="other">
            <buffer-cache name="default"/>
            <server name="default-server">
             ..(Cleared for readability)..
            <servlet-container name="default">
              <session-cookie http-only="true" secure="true"/>  <!-- add http-only and secure attributes -->

Stop IDM, Clear tmp and data folder then start IDM.


Identity Manager VAPP

If for some reason the config is not updated, try following the steps below


Identity Manager VAPP/Standalone (If you use CLI commands):

To do this on VAPP first add a new user to JBoss:

sudo /opt/CA/wildfly-idm/bin/

What type of user do you wish to add?
 a) Management User (
 b) Application User (
(a): a
Username : <JbossAdminName>
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]:
Press Enter to leave blank
About to add user '<JbossAdminName>' for realm 'ManagementRealm'
Is this correct yes/no? yes
Added user '<JbossAdminName>' to file '/opt/CA/wildfly-idm/standalone/configuration/'
Added user '<JbossAdminName>' to file '/opt/CA/wildfly-idm/domain/configuration/'
Added user '<JbossAdminName>' with groups  to file '/opt/CA/wildfly-idm/standalone/configuration/'
Added user '<JbossAdminName>' with groups  to file '/opt/CA/wildfly-idm/domain/configuration/'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? no

Next, navigate to /opt/CA/wildfly-idm/bin/
execute ./
type: connect
Enter credentials

Once connected run the below CLI commands:



Stop Identity Manager (stop_im)

Clear JMS (deleteIDMJMSQueue)

Start Identity Manager (start_im)


For Identity Portal / Identity Governance:

sudo /opt/CA/wildfly-portal/bin/
sudo /opt/CA/wildfly-ig/bin/

Then follow the creation steps provided above and ensure that when you perform the connection requests you connect to IP/IG.


navigate to /opt/CA/wildfly-portal/bin/
execute ./
type: connect
Enter credentials

navigate to /opt/CA/wildfly-ig/bin/
execute ./
type: connect
Enter credentials

Additional Information

These setting can be overridden with other settings or applications:




In <session-config>:

It should only show as:

But if the application is overriding the application server, this is where you would see cookie settings.

This can also be controlled by an webserver, for example apache:

Ensure you have enabled in Apache HTTP server

Add following entry in /etc/apache2/conf-enabled/security.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Restart Apache HTTP server to test


Third party network


Refer to the following link with official info: