search cancel

Is the Agent Configuration Object (ACO) parameter 'UseHTTPOnlyCookies' specific to Microsoft Internet Explorer ? And How does it protect against cross site scripting attacks?


Article ID: 51256


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



The Agent Configuration Object (ACO) parameter 'UseHTTPOnlyCookies' helps protect against cross-site scripting attacks using an 'HTTP-Only' cookie attribute .


To help protect against cross-site scripting attacks, you can make the Web Agent set the HTTP-Only attribute for any cookies it creates using the following parameter: UseHTTPOnlyCookies. Additional information on protecting data with HTTP-only Cookies can be obtained from the MSDN website at:

A new HTTPOnly attribute was introduced to cookies for Internet Explorer 6SP1. This attribute specified that a cookie not be accessible through script. To correspond with this attribute, A new Agent Configuration Object (ACO) parameter "UseHTTPOnlyCookies" was introduced in 6QMR5 HF06 to create HTTP-Only cookies in SiteMinder web agent. This parameter adds a HTTP-Only flag to all SiteMinder cookies if the value is set to YES. (Refer Tech Document: TEC486169).

This parameter was therefore created specific to the IE attribute.

Most other modern browsers (as of writing this KB article) also support the HTTP-Only flag although it may not be as properly enforced.


Component: SMSUN