Why are some cookies in PAM configured not to be HttpOnly ?
search cancel

Why are some cookies in PAM configured not to be HttpOnly ?

book

Article ID: 281920

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Security scanners may report when launched against a PAM appliance, that some cookies are not HttpOnly

While this may be indicative of a security weakness, in the case of PAM even though some of them are set so, this does not pose a security risk

Environment

CA PAM all versions up to 4.1.7 at least

Resolution

Hereby a list of cookies which are not set for HttpOnly and the reason why they do not pose a security risk

Cookie Name
Explanation

Xsuite_IdP_Proxy_Sticky

 This cookie is not used for session maintenance or authentication. 
jsid This cookie is a copy of PHPSESSID and it is loaded to link session id, so it can't be httponly
fromindexphp This is not used for session maintenance.
JSESSIONID This cookie is not used for session maintenance. 

As noticed none of the cookies described may be used to steal a session or to perform any malicious activity so they do not require HttpOnly

Powered by Wolken Software