Secure and HTTPOnly Cookies not used for mfa-deviceId in Risk Authentication
search cancel

Secure and HTTPOnly Cookies not used for mfa-deviceId in Risk Authentication


Article ID: 270914


Updated On:


CA Advanced Authentication CA Advanced Authentication - Risk Authentication (RiskMinder / RiskFort) CA Risk Authentication


We have the following Javascript imbedded in the Customer Center application given to us by the MFA team. I believe this is setting a cookie called "mfa-deviceId". This cookie is not secure and not httponly.

        <script type="text/javascript">            var rootURL = window.location.origin;            //create cooki in the name rmclient            var client;            window.onload = function(){                init();            }                        function init(){                client = new ca.rm.Client();                var baseURL = window.location.origin;                client.setProperty("baseurl", baseURL);                client.loadFlash(readyCallback);            }            function readyCallback(flag){                configureClient();                client.processDNA();            }                        function configureClient() {                client.setProperty("didname", "mfa-deviceId");                client.setProperty("noFlash", true);            }        </script> 

Please advise how this utility can be modified to create cookies that are secure and httponly.


Release : 9.1

Risk Authentication ( RiskFort)


Ideally, an Httponly cookie means that it's not available to scripting languages like JavaScript. So in JavaScript, there's no API available to get/set the Httponly attribute of the cookie, as that would otherwise defeat the meaning of Httponly. It has to be done at the application level.

Regarding Secure flag, we have addressed that in the script with the below changes

remove:function(a){var b=new Date(0);document.cookie=a+"=;expires="+b.toGMTString();document.cookie=a+"=;expires="+b.toGMTString()+"; path=/;secure;";return true},save:function(c,d,a){var b=d?escape(d):"";if(a){var e=new Date();e.setDate(e.getDate()+1825);ArcotCookieUtils.remove(c);document.cookie=c+"="+b+";expires="+e.toGMTString()+"; path=/;secure;"}else{document.cookie=c+"="+b+"; path=/;secure;"}return true}

A patch is provided for this and it is attached in this KB article as well.

Attachments get_app