Cookies are used to store information on the client. This information is sent to the server with every HTTP request, and it is often used to uniquely identify a user. If an attacker steals a user's cookie, they may be able to hijack the user's session and impersonate the victim. Three cookie settings are particularly important from a security perspective: Secure, HttpOnly, and SameSite. If a cookie is flagged as Secure, the application instructs the browser to send the cookie only if the communication channel is encrypted using HTTPS. The HttpOnly flag forbids client-side scripts from accessing the contents of the cookie, preventing vulnerabilities such as cross-site scripting from accessing cookies. The SameSite flag will limit the context from which the browser sends cookies to third-party domains. This could be an additional layer to mitigate cross-site request forgery. Specific Description Truesec identified that the secure flag is not set on the session cookies used by any of the applications.

Release : 14.5.1 CHF1
Component : Identity Manager

The Penetration Tester recommends configuring the application server/framework to generate cookies with the HttpOnly attribute. Cookies should also be marked as Secure if the website uses HTTPS (recommended). Cookies should also define the SameSite flag, which will significantly hinder cross-site request forgery (CSRF), by controlling cross-site interactions.

By default, a cookie is set to HttpOnly. You can secure a cookie by following these steps:

1) Insert the value true in /opt/CA/VirtualAppliance/custom/<point_product>/secure-cookie. Replace <point_product> with Identity Manager, Identity Governance, and Identity Portal, respectively.

2) Restart the <point_product>

The cookie is not set to SameSite. But the CSRF is already in place.

Reference#DE639252