Insecure Cookies

cogenttec

Hello, I am currently using datatables version 1.9.4. During a recent site security scan, I received the following vulnerability: "The cookies does not contain the 'HTTPOnly' attribute" The impact of the threat states that cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user impersonation or compromise of the application account.

Question, is there a way to specify datatables to apply the "HTTPOnly" attribute to 'True' and Secure to 'True'? See FireFox cookie information below.

Thanks

+++++++++++++++++++

SpryMedia_DataTables_active_reports.cfm:"%7B%22iCreate%22%3A1682691997319%2C%22iStart%22%3A0%2C%22iEnd%22%3A0%2C%22iLength%22%3A10%2C%22aaSorting%22%3A%5B%5B0%2C%22asc%22%5D%5D%2C%22oSearch%22%3A%7B%22bCaseInsensitive%22%3Atrue%2C%22sSearch%22%3A%22%22%2C%22bRegex%22%3Afalse%2C%22bSmart%22%3Atrue%7D%2C%22aoSearchCols%22%3A%5B%7B%22bCaseInsensitive%22%3Atrue%2C%22sSearch%22%3A%22%22%2C%22bRegex%22%3Afalse%2C%22bSmart%22%3Atrue%7D%2C%7B%22bCaseInsensitive%22%3Atrue%2C%22sSearch%22%3A%22%22%2C%22bRegex%22%3Afalse%2C%22bSmart%22%3Atrue%7D%2C%7B%22bCaseInsensitive%22%3Atrue%2C%22sSearch%22%3A%22%22%2C%22bRegex%22%3Afalse%2C%22bSmart%22%3Atrue%7D%2C%7B%22bCaseInsensitive%22%3Atrue%2C%22sSearch%22%3A%22%22%2C%22bRegex%22%3Afalse%2C%22bSmart%22%3Atrue%7D%5D%2C%22abVisCols%22%3A%5Btrue%2Ctrue%2Ctrue%2Ctrue%5D%7D"

HostOnly:true
HttpOnly:false
SameSite:"None"
Secure:false

allan

Wow - 1.9.4 is an old one (11 years!). We used cookies back then for state storage. 1.10 introduced the use of localStorage to address this and other issues.

I would very strongly recommend upgrading to the latest release.

If you can't for whatever, then you can edit the 1.9.4 code to add the HTTPOnly attribute.

Allan