Addressing Insecure "mfa-deviceId" Cookie Flags in Risk Authentication
search cancel

Addressing Insecure "mfa-deviceId" Cookie Flags in Risk Authentication

book

Article ID: 270914

calendar_today

Updated On:

Products

CA Advanced Authentication CA Advanced Authentication - Risk Authentication (RiskMinder / RiskFort) CA Risk Authentication

Issue/Introduction

The current MFA JavaScript implementation in your application generates a device identifier cookie named mfa-deviceId. Security audits have identified that this cookie is missing both the Secure and HttpOnly attributes, potentially exposing the device ID to Cross-Site Scripting (XSS) or man-in-the-middle (MITM) attacks.

Technical Analysis

Upon reviewing the provided scripts, we identified two distinct limitations regarding cookie flags:

  1. HttpOnly: This flag prevents client-side scripts (like JavaScript) from accessing the cookie. By definition, JavaScript cannot set an HttpOnly flag. If JavaScript could toggle this flag, it would defeat the purpose of the security control.

  2. Secure: This flag ensures the cookie is only transmitted over encrypted (HTTPS) connections. This can be set via JavaScript by appending the ;secure attribute to the document.cookie string.

Environment

Release : 9.1.x

Risk Authentication ( RiskFort)

Resolution

1. Addressing the Secure Flag

We have modified the core ArcotCookieUtils utility to include the ;secure attribute during both the creation and removal of the cookie.

Modified Code Snippet: The following logic ensures that even when a cookie is removed (expired), it is handled over a secure channel:

// Updated remove and save functions
remove: function(a) {
    var b = new Date(0);
    document.cookie = a + "=;expires=" + b.toGMTString();
    document.cookie = a + "=;expires=" + b.toGMTString() + "; path=/;secure;";
    return true
},
save: function(c, d, a) {
    var b = d ? escape(d) : "";
    if (a) {
        var e = new Date();
        e.setDate(e.getDate() + 1825); // 5-year expiry
        ArcotCookieUtils.remove(c);
        document.cookie = c + "=" + b + ";expires=" + e.toGMTString() + "; path=/;secure;"
    } else {
        document.cookie = c + "=" + b + "; path=/;secure;"
    }
    return true
}

 

2. Addressing the HttpOnly Flag

As noted, JavaScript cannot set the HttpOnly attribute.

  • Action Required: This must be configured at the Application Server level or via a Web Application Firewall (WAF).

  • Recommendation: If the mfa-deviceId is required by the JavaScript to perform client-side logic (DNA processing), setting it to HttpOnly will break the functionality. If the identifier is only used server-side, the cookie should be injected via Set-Cookie headers from the backend instead of the ca.rm.Client() library.

Attachments

Symantec-AdvAuth-9.1-DE568425-HotFix_1690987609979.zip get_app
Powered by Wolken Software