Cookie “HTTPOnly” and “secure” attribute vulnerability

coskucinkilic · June 13, 2022, 12:47pm

Hello,

When I scan my Frontend Page with “Qualys API SCAN” software that is intended to find vulnerabilities, it lands on AUTH0 page and it finds 2 problems with the cookies:

Session Cookie (Authentication Related) Does Not Contain The “HTTPOnly” Attribute
Cookie Does Not Contain The “HTTPOnly” Attribute”

Two cookie starting with:
1- co%2Fverifier%2Fhttps%253A%252F%252F…
2- com.auth0.auth.https%3A%2F%2F…

Can you provide more insight related to this problem, I believe this is exactly the same problem on this link Cookie "HTTPOnly" and "secure" attribute vulnerability - #4

Thanks

tyf · June 14, 2022, 12:18am

Hi there @coskucinkilic welcome to the community!

I believe this is just do to the fact that some cookies can’t be set to HTTPOnly because they are required for our frontend SDKs to function properly - That is, if these particular cookies were HTTPOnly, they would be inaccessible by JavaScript and thus inaccessible by the SDKs.

Hope this helps!

tyf · June 29, 2022, 12:18am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Request to use HttpOnly Cookies for Auth0 Authentication Help classic-universal-login-experience , login-experience	3	2726	February 15, 2023
Cookies Not Marked as Secure and Cookies Not Marked as HttpOnly Help security-question-concern , security-compliance	1	1728	August 28, 2024
Auth0 Cookies to be secure in response Help auth0 , cookie , samesite-cookies	0	1696	September 27, 2022
Auth0.is.authenticated cookie - _legacy_auth0.is.authenticated cookie Knowledge Articles cookies	1	2194	May 31, 2023
Storing access tokens in HttpOnly Secure SameSite=Strict cookie? Help sessions , authentication-sessions	0	359	April 19, 2024

Cookie “HTTPOnly” and “secure” attribute vulnerability

Related Topics