This issue is a false positive; the following cookies do not need to include the HTTPOnly flag.
The Management Console timeout cookie (BCSI_MC) does not include the flag because it is functionally a session cookie. Note, however, that including the HttpOnly flag in this cookie would not introduce security risks because:
Cookie data consists of a timestamp used to compute inactivity timeout (how long the console session can be inactive before it is automatically logged out). Thus, the value is not static and can't be a unique identifier for the session. Such information wouldn't be used as part of an attack.
Transparent authentication cookies (BCSI-AC, BCSI-ACP) do not include the flag because the ProxySG appliance must authenticate every connection, including connections made on behalf of a script or plugin. If the HTTPOnly flag were set, users might be unable to connect to some web pages because some scripted requests would receive a credential challenge, and (in certain cases) be redirected. Furthermore, the security benefit of adding the flag is questionable; the appliance isn’t an origin content server (OCS), and these cookies wouldn't be used as part of an attack. The transparent authentication cookies are protected by an HMAC, and by default are tied to the client IP address. In order to use a stolen cookie, an attacker would have to spoof the client’s IP address. Note: You can mitigate the risk of stolen cookies by reducing the surrogate timeout, or by using a non-cookie authentication mode like “origin”. The surrogate timeout is 15 minutes by default. When the timeout expires, the appliance will re-challenge for credentials (often presented silently by the browser, which has them cached), and then issue a new cookie.
Imported Document ID: 000008758
Subscribing will provide email updates when this Article is updated. Login is required.