Cookie “HTTPOnly” and “secure” attribute vulnerability

coskucinkilic · June 13, 2022, 12:47pm

Hello,

When I scan my Frontend Page with “Qualys API SCAN” software that is intended to find vulnerabilities, it lands on AUTH0 page and it finds 2 problems with the cookies:

Session Cookie (Authentication Related) Does Not Contain The “HTTPOnly” Attribute
Cookie Does Not Contain The “HTTPOnly” Attribute”

Two cookie starting with:
1- co%2Fverifier%2Fhttps%253A%252F%252F…
2- com.auth0.auth.https%3A%2F%2F…

Can you provide more insight related to this problem, I believe this is exactly the same problem on this link Cookie "HTTPOnly" and "secure" attribute vulnerability - #4

Thanks

tyf · June 14, 2022, 12:18am

Hi there @coskucinkilic welcome to the community!

I believe this is just do to the fact that some cookies can’t be set to HTTPOnly because they are required for our frontend SDKs to function properly - That is, if these particular cookies were HTTPOnly, they would be inaccessible by JavaScript and thus inaccessible by the SDKs.

Hope this helps!

tyf · June 29, 2022, 12:18am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cookie "HTTPOnly" and "secure" attribute vulnerability Help auth0 , api , login , vulnerability	2	3268	April 8, 2022
Request to use HttpOnly Cookies for Auth0 Authentication Help classic-universal-login-experience , login-experience	3	2752	February 15, 2023
Cookies Not Marked as Secure and Cookies Not Marked as HttpOnly Help security-question-concern , security-compliance	1	1740	August 28, 2024
Auth0 Cookies to be secure in response Help auth0 , cookie , samesite-cookies	0	1698	September 27, 2022
Auth0.is.authenticated cookie - _legacy_auth0.is.authenticated cookie Knowledge Articles cookies	1	2219	May 31, 2023

Cookie “HTTPOnly” and “secure” attribute vulnerability

Related topics