Insecure Cookies

Insecure Cookies

cogentteccogenttec Posts: 1Questions: 1Answers: 0

Hello, I am currently using datatables version 1.9.4. During a recent site security scan, I received the following vulnerability: "The cookies does not contain the 'HTTPOnly' attribute" The impact of the threat states that cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user impersonation or compromise of the application account.

Question, is there a way to specify datatables to apply the "HTTPOnly" attribute to 'True' and Secure to 'True'? See FireFox cookie information below.

Thanks

+++++++++++++++++++

SpryMedia_DataTables_active_reports.cfm:"%7B%22iCreate%22%3A1682691997319%2C%22iStart%22%3A0%2C%22iEnd%22%3A0%2C%22iLength%22%3A10%2C%22aaSorting%22%3A%5B%5B0%2C%22asc%22%5D%5D%2C%22oSearch%22%3A%7B%22bCaseInsensitive%22%3Atrue%2C%22sSearch%22%3A%22%22%2C%22bRegex%22%3Afalse%2C%22bSmart%22%3Atrue%7D%2C%22aoSearchCols%22%3A%5B%7B%22bCaseInsensitive%22%3Atrue%2C%22sSearch%22%3A%22%22%2C%22bRegex%22%3Afalse%2C%22bSmart%22%3Atrue%7D%2C%7B%22bCaseInsensitive%22%3Atrue%2C%22sSearch%22%3A%22%22%2C%22bRegex%22%3Afalse%2C%22bSmart%22%3Atrue%7D%2C%7B%22bCaseInsensitive%22%3Atrue%2C%22sSearch%22%3A%22%22%2C%22bRegex%22%3Afalse%2C%22bSmart%22%3Atrue%7D%2C%7B%22bCaseInsensitive%22%3Atrue%2C%22sSearch%22%3A%22%22%2C%22bRegex%22%3Afalse%2C%22bSmart%22%3Atrue%7D%5D%2C%22abVisCols%22%3A%5Btrue%2Ctrue%2Ctrue%2Ctrue%5D%7D"

HostOnly:true
HttpOnly:false
SameSite:"None"
Secure:false

Answers

  • allanallan Posts: 63,516Questions: 1Answers: 10,472 Site admin

    Wow - 1.9.4 is an old one (11 years!). We used cookies back then for state storage. 1.10 introduced the use of localStorage to address this and other issues.

    I would very strongly recommend upgrading to the latest release.

    If you can't for whatever, then you can edit the 1.9.4 code to add the HTTPOnly attribute.

    Allan

Sign In or Register to comment.