000015362 - AxM Agent 4.7.0.X: Support for 'httpOnly' added

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015362
Applies ToAccess Manager Agents 4.7
IssueAxM Agent 4.7.0.X: Support for "httpOnly" added
The feature httpOnly is included in RSA Access Manager Agent 4.8 using the cleartrust.agent.httponly setting in webagent.conf.  When this variable is set true, the session and retention cookies are set with the flag "httpOnly".  When a cookie is set to httpOnly, the web browser will not allow client side scripts (such as JavaScript) to access the cookie, which is effective in mitigating cross site scripting (XSS) attacks.
The Access Manager 4.7 agents, when originally released, did not contain this functionality. 
ResolutionThe httpOnly functionality has been added to the 4.7 Agents. The apache agent for Red Hat 4/5 contains this beginning hot fix For IIS,
NotesAdditionally, The following information about httpOnly with relation to browsers is useful to note:
Microsoft Internet Explorer has supported the security feature HttpOnly cookies since IE 6 SP1.
Mozilla Firefox has supported httpOnly since version, released July 2007.

For additional browser support of httpOnly, you will want to contact the browser vendor.
Legacy Article IDa50160