Older versions of Embedded Entitlements Manager (EEM) the application did not set the 'HTTPOnly' or 'Secure' attributes when issuing sensitive cookies
following successful authentication.
HTTPOnly and Secure attributes are set by the EEM cookie for version 12.6
The HttpOnly flag is a flag set as part of a Set-Cookie header to prevent that cookie's value from
on sensitive cookies may aid in the execution of certain attacks such as cross-site scripting, which
malicious third party.
The 'Secure' attribute helps prevent cookies from being stolen by attackers on the same LAN as
victims; cookies without this attribute can be stolen. If the 'Secure' attribute is set on a cookie,
modern browsers will only send it over HTTPS connections (and not over HTTP). The 'Secure'
attribute needs to be set even if the vulnerable site only serves content over HTTPS and does not
listen for HTTP traffic.
If the 'secure' attribute is not set, the cookie will be sent to the vulnerable site along with all HTTP
requests to that site, and an attacker that can sniff traffic between the victim and the server might
be able to steal the cookies. If successful, this could result in an attacker gaining access to a user's