Kace Server - MIssing HttpOnly Attribute in Session Cookie"
Anyone else come across this? Security ran a scan and the K1000 and K2000 both have this vulnerabilty.
ISSUE: "Missing HttpOnly Atribute in Session Cookie"
There was some question here at my orginization about whether the 5.5 upgrade addressed it, but I didn't see any reference in the release notes or elsewhere so I don't think it was addressed.
The "Fix recommendation" is to "Add the 'HttpOnly' attribute to all session cookies. This sounds like something Kace support would have to do, but if it's a big deal and isn't already done, then I would expect it's not done for a reason.
Any info at all on this odd ball would be great.
Thanks,
3 Comments
[ + ] Show comments
Answers (0)
Please log in to answer
Be the first to answer this question
Scan tool==> IBM AppScan - We're a tiered setup and a different group runs the scan. We have plenty of other internal and external sites, but as far as I know, only our K1000 and K2000 came up with it. - murbot 10 years ago