Cookies without secure and HTTP flag set


#1

Hi,

I used OKTA login for my Angular Application. When we sent the application for penetration testing following issue was raised.
Issue 1:
Cookies were identified without the HTTPOnly flag set, potentially allowing the cookies to be accessed by client-side scripts.

Technical Details
The following cookies were set without the HTTPOnly flag:

ADRUM_BT1
ADRUM_BTa
DT
JSESSIONID
proximity_14b727894adaba3d6f9e90c4fa86cf430
proximity_2ac00f0ba5abcfa18b09c643586c3d4bc
proximity_940ber3ce534851dba7d7aaeedb3e959
t

Recommendation
HTTPOnly header is set on all HTTP cookies. It should be noted that there may be legitimate client-site scripts within the application that read or write the cookie’s value. If this is the case, then it may not be possible to enable this flag.

Issue2:
Session cookies found without the Secure cookie flag set

Technical Details
The following cookies were set without the secure flag:

ADRUM_BTX
ADRUM_BTY
JSESSIONID
t

Recommendation
Reviewing all application cookies and setting the Secure attribute on all.

PS: All these cookies are generated by OKTA library can you please fix this.


#2

Hey @Prudhvi!

I passed this on to our security team, and this was the response:

JSESSIONID is not a session cookie for Okta and can be ignored. There is no risk posed by this cookie.

The T cookie is used for UI themes, it has minimal security implications but will be remediated in the future.

Cookies prefixed with ADRUM are AppDynamics server-side agent cookies that do not have HttpOnly set by design. AppDynamics provides Okta with performance data that helps to troubleshoot customer issues and ensure Okta meets our availability SLA. AppDynamics does not store or process PII and these cookies are not related to the Okta session. More information is here: https://docs.appdynamics.com/display/PRO43/Correlate+Business+Transactions+for+Browser+RUM

Okta Sessions are managed by the SID cookie which has both HTTPOnly and Secure attributes enabled.

Also, in the future, I’d encourage you to attempt to disclose potential issues like this responsibly. You can see Okta policy here. The Apache Foundation also has a great write up too (geared for Apache projects, but still lots of great info)