Cookies without secure and HTTP flag set


I used OKTA login for my Angular Application. When we sent the application for penetration testing following issue was raised.
Issue 1:
Cookies were identified without the HTTPOnly flag set, potentially allowing the cookies to be accessed by client-side scripts.

Technical Details
The following cookies were set without the HTTPOnly flag:


HTTPOnly header is set on all HTTP cookies. It should be noted that there may be legitimate client-site scripts within the application that read or write the cookie’s value. If this is the case, then it may not be possible to enable this flag.

Session cookies found without the Secure cookie flag set

Technical Details
The following cookies were set without the secure flag:


Reviewing all application cookies and setting the Secure attribute on all.

PS: All these cookies are generated by OKTA library can you please fix this.

Hey @Prudhvi!

I passed this on to our security team, and this was the response:

JSESSIONID is not a session cookie for Okta and can be ignored. There is no risk posed by this cookie.

The T cookie is used for UI themes, it has minimal security implications but will be remediated in the future.

Cookies prefixed with ADRUM are AppDynamics server-side agent cookies that do not have HttpOnly set by design. AppDynamics provides Okta with performance data that helps to troubleshoot customer issues and ensure Okta meets our availability SLA. AppDynamics does not store or process PII and these cookies are not related to the Okta session. More information is here:

Okta Sessions are managed by the SID cookie which has both HTTPOnly and Secure attributes enabled.

Also, in the future, I’d encourage you to attempt to disclose potential issues like this responsibly. You can see Okta policy here. The Apache Foundation also has a great write up too (geared for Apache projects, but still lots of great info)

It looks like

  1. The “t” cookie has not been remediated

  2. A cookie “oktaStateToken” really should have those two flags set

  3. A cookie “DT” which is there too, goes unexplaned.

I understand by now that DT is the device token, which keeps track of MFA having been provided, so it seems that one also definitely deserves both flags.