Following a Pen test on our application which is using the Auth0 SPA SDK (Angular), the following Cookies are flagging up as not being marked as secure and not being marked as HTTPOnly.
Appreciate that the latter is because the cookie needs to accessible in JS but just wanted to confirm this and that the same applies for the “Secure” setting ?
-The following cookies are not set with the HTTPOnly or secure attribute:
- auth0.organization_hint
- _legacy_auth0.organization_hint
- auth0.is.authenticated
- _legacy_auth0.is.authenticated
Basically I need to know if this is an issue that we can resolve or if its a risk we’ll need to sign off on due to the way our application uses Auth0.
Bumping this again as its appeared in another yearly security scan.
its specifically the “Secure” setting on the Auth0 cookies I am querying. I understand the reasoning for HTTPOnly and can justify that being risk accepted.
Hi @robert.smith
Welcome to the Auth0 Community!
I am sorry about the late reply to your post!
We do not recommend to set cookies with the HttpOnly attribute since that might not allow JS to read them and may interfere with your authentication process.
Regarding the Secure attribute, we highly recommend to set it to true due to the fact that it prevents the cookie to be sent over insecure connections. Basically, it prevents the cookie to be stolen by an attacker which allows them to impersonate and hijack the user’s session and can lead to other vulnerabilities.
Hope this helps!
If you have any other questions, feel free to leave a reply or post again on the community!
Kind Regards,
Nik
Hi,
Thanks for confirming on the HttpOnly setting. I can risk accept that finding.
Yes I agree with the secure setting but these cookies are generated by Auth0 so I was wondering why they aren’t set with the Secure flag and if its possible for us to configure that to be set in these cookies ?
Thanks,
Rob
Hi again @robert.smith
Due to the fact that these cookies do not hold sensitive information, it is not necessary to set the Secure flag to true since the auth0.is.authenticated cookie is only used to remember the authentication state with Auth0 across multiple page tabs and page refreshes. For the auth0.organization_hint cookie, it is used to keep track of the organization ID. If the cookie was stored and the application did not pass the organization ID in the next login attempt, the SDK retrieves the organization ID from the stored cookie while [generating the /authorize call for silent authentication calls during fallback, where using the rotational refresh tokens wasn’t possible.
Unfortunately, you are unable to configure cookie flags and update them accordingly.
If this poses an issue to your implementation, you can always let us know or post again on the community regarding the matter.
If you have any other questions, feel free to leave a reply!
Kind Regards,
Nik