Last Updated: Nov 1, 2024
Overview
When performing a web application security scan using web application scanning, two findings were reported for the Auth0 session cookies not using HttpOnly or secure flags.
The issue is how to handle the lack of HttpOnly on the following cookies:
- auth0.PaUrzRdxflTKVpq1fCiTGkWowJCgq0qi.is.authenticated
- _legacy_auth0.PaUrzRdxflTKVpq1fCiTGkWowJCgq0qi.is.authenticated
Applies To
- Cookies
- Session
- http-only
Solution
auth0.is.authenticated cookie
The auth0.is.authenticated cookie name is a little misleading. It is just an optimization cookie that minimizes unnecessary log-ins for a better user experience. It should not cause any issues if someone gets the cookie.
The auth0.is.authenticated cookie is used to remember authentication state with Auth0 across multiple page tabs and page refreshes. Session Storage on the other hand is bound to the session, this means every tab has it’s own Session as well as the session storage is cleared when the browser tab is closed.
More information about this can be found in Window: sessionStorage property .
Using SessionStorage would not allow to achieve the behavior that we are achieving with the auth0.is.authenticated cookie.
As this is a cookie setup from inside JavaScript, it cannot be made httpOnly.
The useCookiesForTransaction, when set to false, ensures transactions are using SessionStorage.
Transactions is what the SDK uses to track state during the redirect to Auth0 so we can rebuild certain state after the user is being redirected to their application.
This works fine as the redirect will happen in the same browser tab, using the same session. As soon as we are back from redirecting to Auth0, the entry will be removed from the session. So we are not relying on keeping the session’s value cross tabs or after page refreshes.
Local Storage is not being used because the desire is for the entry to expire after a certain amount of time.
Because of the above about session storage and local storage, using a non-http only cookie is our only option.
_legacy_auth0.is.authenticated
This was added to support legacy browsers, see this documentation.
This option can be disabled by setting the legacySameSiteCookie.
The above is documentation for our SPA-JS SDK, which our React SDK wraps. If they want to disable this in react, they could pass the same option to the Auth0Provider and set its value to false.
<Auth0Provider legacySameSiteCookie={false}>
</Auth0Provider>
NOTE: Some browsers will not behave correctly, so only disable this feature if you are aware of that. If not, it should be fine to keep the cookie as the cookie does not contain any sensitive information and is solely used as a flag for our SDK to assume the authentication state, followed by calling Auth0 to get the actual authentication state.