Cookie “HTTPOnly” and “secure” attribute vulnerability

coskucinkilic · June 13, 2022, 12:47pm

Hello,

When I scan my Frontend Page with “Qualys API SCAN” software that is intended to find vulnerabilities, it lands on AUTH0 page and it finds 2 problems with the cookies:

Session Cookie (Authentication Related) Does Not Contain The “HTTPOnly” Attribute
Cookie Does Not Contain The “HTTPOnly” Attribute”

Two cookie starting with:
1- co%2Fverifier%2Fhttps%253A%252F%252F…
2- com.auth0.auth.https%3A%2F%2F…

Can you provide more insight related to this problem, I believe this is exactly the same problem on this link Cookie "HTTPOnly" and "secure" attribute vulnerability - #4

Thanks

tyf · June 14, 2022, 12:18am

Hi there @coskucinkilic welcome to the community!

I believe this is just do to the fact that some cookies can’t be set to HTTPOnly because they are required for our frontend SDKs to function properly - That is, if these particular cookies were HTTPOnly, they would be inaccessible by JavaScript and thus inaccessible by the SDKs.

Hope this helps!

tyf · June 29, 2022, 12:18am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.