our .NET MVC app uses Okta for authentication, and our security team has flagged us with a security vulnerability because okta’s jsessionid cookie does not have samesite set. Is there a way to set samesite on that cookie?
Okta does not use the JSESSIONID cookie for user sessions and instead uses a cookie named sid (for Okta Classic orgs) and idx (for Okta Identity Engine orgs), which are always set as samesite=None
I can see the above cookies set when the okta login page is drawn (custom). The domain I blurred out in the screen shot is the alias for our application okta domain. This is the cookie that security has a problem with. It’s actually before I’ve logged in on the page. Using Okta Classic. Any ideas where this is coming from?
Our server sets that cookie, but it isn’t used for session management and can be ignored.
1 Like
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.