Is the Agent Configuration Object (ACO) parameter 'UseHTTPOnlyCookies' specific to Microsoft Internet Explorer ? And How does it protect against cross site scripting attacks?

Document ID : KB000051256
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The Agent Configuration Object (ACO) parameter 'UseHTTPOnlyCookies' helps protect against cross-site scripting attacks using an 'HTTP-Only' cookie attribute .

Solution:

To help protect against cross-site scripting attacks, you can make the Web Agent set the HTTP-Only attribute for any cookies it creates using the following parameter: UseHTTPOnlyCookies. Additional information on protecting data with HTTP-only Cookies can be obtained from the MSDN website at:
http://msdn.microsoft.com/en-us/library/ms533046(VS.85).aspx

A new HTTPOnly attribute was introduced to cookies for Internet Explorer 6SP1. This attribute specified that a cookie not be accessible through script. To correspond with this attribute, A new Agent Configuration Object (ACO) parameter "UseHTTPOnlyCookies" was introduced in 6QMR5 HF06 to create HTTP-Only cookies in SiteMinder web agent. This parameter adds a HTTP-Only flag to all SiteMinder cookies if the value is set to YES. (Refer Tech Document: TEC486169).

This parameter was therefore created specific to the IE attribute.

Most other modern browsers (as of writing this KB article) also support the HTTP-Only flag although it may not be as properly enforced.