Cookie "HTTPOnly" and "secure" attribute vulnerability

andreinechifor83 · February 8, 2022, 9:43am

Hello,

When I scan my Frontend Page with “Qualys API SCAN” software that is intended to find vulnerabilities, it lands on AUTH0 authentification page. And it finds 2 problems with the cookies:
Cookie Does Not Contain The “secure” Attribute
Cookie Does Not Contain The “HTTPOnly” Attribute”

Example of such a cookie: com.auth0.auth.ugKuorXXXXX…

Is this normal or it is a security problem for the cookies don’t have those attributes?

Thank you!

dan.woda · February 22, 2022, 11:24pm

Hi @andreinechifor83,

Welcome to the Auth0 Community!

Not all cookies will be marked HTTPOnly and secure.

Can you tell me the name of the cookie you are referring to?

Topic		Replies	Views
Cookie “HTTPOnly” and “secure” attribute vulnerability Help auth0 , api , login , vulnerability	2	3625	June 29, 2022
Cookies Not Marked as Secure and Cookies Not Marked as HttpOnly Help security-question-concern , security-compliance	1	1740	August 28, 2024
Request to use HttpOnly Cookies for Auth0 Authentication Help classic-universal-login-experience , login-experience	3	2752	February 15, 2023
Auth0 Cookies to be secure in response Help auth0 , cookie , samesite-cookies	0	1698	September 27, 2022
Protection against cookie theft? Help	2	3310	August 26, 2019

Cookie "HTTPOnly" and "secure" attribute vulnerability

Related topics