Sunday, December 9, 2012

HTTPOnly Cookies in OpenAM Policy Agent 3.0.5

Good news out there! With OpenAM Policy Agent 3.0.5, one can configure OpenAM to transmit only HTTPOnly cookies to the browsers (Read here).

HTTPOnly Cookies (Not yet in OpenAM console) 
As of version 3.0.5, web policy agents with this property set to true mark cookies as HTTPOnly, to prevent scripts and third-party programs from accessing the cookies. Property: com.sun.identity.cookie.httponly

We know the security teams in customers' sites are super paranoid about cookies. Yes, cookies that stay in users' browsers and can be hijacked easily!

More about HTTPOnly Cookies here. Note from Wikipedia - This restriction mitigates but does not eliminate the threat of session cookie theft. 

Better than not doing anything, right?


No comments:

Post a Comment