The com.auth0.state cookie has been flagged by our security scans for missing the Secure attribute. It is set by Auth0 during the redirect to /authorize. I previously found a post discussing other cookies not being marked Secure as a design decision, but it didn’t mention com.auth0.state specifically. The cookies referenced were:
auth0.organization_hint
_legacy_auth0.organization_hint
auth0.is.authenticated
_legacy_auth0.is.authenticated
Does the answer in that thread also apply to the com.auth0.state cookie?
Is there a way to ensure this cookie is set with the Secure attribute, or is this a warning that can be safely ignored for now?
I am sorry about the delayed response to your inquiry!
I understand that any information regarding the com.auth0.state cookie might not be available at this time, however, the cookie behaves similarly to the ones you have mentioned above.
The cookie itself is short-lived and it is used exclusively during the authentication flow to prevent CSRF attacks. The cookie itself does not contain sensitive user information and it is being set that way by Auth0. Even if marking cookies as Secure is a common practice, it is not necessary for this specific cookie in order to accomplish its functions and to operate in an HTTPS only flow.
As you have mentioned above, the reason the cookie would be set this way is purely by design and it can be safely ignored since it won’t affect your application. Otherwise, I would suggest to not attempt to set this cookie manually as tampering with it might affect the authentication process of your application.