Select to view content in your preferred language

Security Fix - "HTTPOnly" and "secure" attributes

141
4
3 weeks ago
Status: Open
DEWright_CA
Frequent Contributor

Recent security scans of ArcGIS Portal and ArcGIS Server raised security concerns around use of these values being assigned in cookies to protect and validate their use.

"HTTPOnly" - Cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user impersonation or compromise of the application account.

"secure" - Cookies with the "secure" attribute are only permitted to be sent via HTTPS. Cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account.

Tags (1)
4 Comments
ChrisUnderwood

Hello @DEWright_CA , please can you confirm the versions and security patch levels of your ArcGIS Portal and ArcGIS Server.

AhmadAwada1

Hi Chris,

I have the same case as DEWright and my ArcGIS Enterprise version is 11.3 with all current security patches applied. Are you saying that the security patches had already addressed these concerns? If yes, can you mention which security patches specifically to ensure that it is applied (although the scan was performed after security patches were applied).


Thank you

ChrisUnderwood

Hello @AhmadAwada1  no, I'm not saying I expect those concerns to be addressed in particular patches or versions. I wanted to add information to this Idea by confirming that these concerns do occur in a General Availability version that is fully patched.

DEWright_CA

Version 11.3