CA Embedded Entitlements Manager Cookie Settings

Document ID : KB000097779
Last Modified Date : 01/06/2018
Show Technical Document Details
Issue:
Older versions of Embedded Entitlements Manager (EEM) the application did not set the 'HTTPOnly' or 'Secure' attributes when issuing sensitive cookies
following successful authentication.
Resolution:
HTTPOnly and Secure attributes are set by the EEM cookie for version 12.6
Additional Information:
The HttpOnly flag is a flag set as part of a Set-Cookie header to prevent that cookie's value from
being read or set by client-side JavaScript in modern browsers. Without the HttpOnly attribute, the
cookie's value can be accessed by client-side scripts like JavaScript. Failing to set the HttpOnly flag
on sensitive cookies may aid in the execution of certain attacks such as cross-site scripting, which
use JavaScript to obtain session identifiers and other sensitive information and transmit it to a
malicious third party.

The 'Secure' attribute helps prevent cookies from being stolen by attackers on the same LAN as
victims; cookies without this attribute can be stolen. If the 'Secure' attribute is set on a cookie,
modern browsers will only send it over HTTPS connections (and not over HTTP). The 'Secure'
attribute needs to be set even if the vulnerable site only serves content over HTTPS and does not
listen for HTTP traffic.
If the 'secure' attribute is not set, the cookie will be sent to the vulnerable site along with all HTTP
requests to that site, and an attacker that can sniff traffic between the victim and the server might
be able to steal the cookies. If successful, this could result in an attacker gaining access to a user's
session.