Removing or Disabling arcottest_cookie in Advanced Authentication Sample Application
search cancel

Removing or Disabling arcottest_cookie in Advanced Authentication Sample Application

book

Article ID: 403789

calendar_today

Updated On:

Products

CA Strong Authentication

Issue/Introduction

This article addresses concerns raised around the presence of the arcottest_cookie, which is created by the Strong Authentication sample application. The cookie stores a timestamp value for the client-side session but does not contain any sensitive or user-specific data.

A patch has been developed to disable the creation of this cookie, especially in environments where its presence may trigger privacy or compliance concerns.

You have reported concerns about a cookie named arcottest_cookie appearing in browser sessions while using the sample application or embedded JavaScript libraries. The concern arises due to:

  • Lack of clarity around the purpose of the cookie

  • Compliance/privacy scanner flags

  • Confusion caused by the name arcottest_cookie

Environment

Advanced Authentication (Strong Authentication) Version 9.1.5 and above

Cause

The cookie is used internally by the sample application's JavaScript client to store a timestamp for the authentication flow. It was originally created for diagnostic and demo purposes.

Key points:

  • It does not store personally identifiable information (PII), device identifiers, or session tokens.

  • The cookie is non-functional and not required for production-grade deployments.

  • The naming may cause confusion but does not imply insecure usage.

Resolution

A patch has been created to remove the logic that sets the arcottest_cookie.

Who should apply this patch?

Organizations:

  • Who do not use the sample application but still include the client JavaScript.

  • Who are undergoing strict compliance scans.

  • Who want to ensure minimal cookie footprint for end users.

Patch Deployment Instructions

1. Sample Application (Tomcat/Other Server):

Replace the following file:

<install_dir>\webapps\ca-strongauth-sample-application\client\arcotclient.js

Example for Tomcat App server:

C:\apache-tomcat-9.0.84\webapps\ca-strongauth-sample-application\client\arcotclient.js

Use the patched version of arcotclient.js provided with this KB or via your support case.

2. Custom or Deployed Application:

If you are using a custom frontend that embeds arcotclient.js, replace the JS file within your project or build pipeline with the patched version.

Validation Steps

After deploying the patch:

  • Clear browser cache

  • Restart the application server (if applicable)

  • Initiate a fresh authentication flow

  • Use browser dev tools → Application → Cookies → Confirm arcottest_cookie is no longer present

Additional Information

FAQ

Q: Will disabling this cookie break any authentication flow?
A: No, this cookie is not used in actual authentication logic or backend validation.

Q: Can we rename the cookie instead of removing it?
A: While possible, the recommended and supported fix is to remove it entirely.

Q: Does this apply to Arcot Payment SDKs?
A: No, this patch is specific to Strong Authentication client SDK/sample app.

Attachments

  • arcotclient.js (patched version) – Attach below.

Attachments

Symantec-AdvAuth-DE645683-HotFix.zip get_app
Powered by Wolken Software