AWI: session cookie JSESSIONID does not have the SameSite attribute set
search cancel

AWI: session cookie JSESSIONID does not have the SameSite attribute set


Article ID: 249022


Updated On:


CA Automic Workload Automation - Automation Engine CA Automic One Automation


During a security Audit on AWI a penetration test discovered the following vulnerability:

The session cookie JSESSIONID does not have the SameSite attribute set.
The SameSite flag can help mitigate CSRF and Clickjacking attacks.
If this flag is not set, the application cannot benefit from this protection mechanism.


Release : 12.3.x

Component : Automic Web Interface (AWI)


Here is the relevant excerpt from the report:

HTTP Request:
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HTTP Response where session cookies without the SameSite flag:
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html;charset=utf-8
Date: Tue, 10 Aug 2021 08:04:13 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Set-Cookie: JSESSIONID=25493E320E83EDA411325EAB163BB65D; Path=/; Secure; HttpOnly
Set-Cookie: __VCAP_ID__=05bbc7d2-c7b7-447c-7bfd-44e3; Path=/; HttpOnly; Secure
X-Vcap-Request-Id: 9e7bd28d-be21-4902-5302-2f7cc8da483f
Connection: close
Content-Length: 14495
<!doctype html>

For critical applications, SameSite=Strict should be used. For all other applications, SameSite=Lax is recommended.


This issue was solved during 21.0.0 security improvements.
The solution is available since version 21.0.0 of the AWI.

Additional Information

This issue was solved during the 21.0.0 security improvements.
There is no CVE number.