Dear Mendix,
Unfortunately Mendix does not support de “HTTP Only flag”. This allows Mendix cookies to be accessed by other, non-Mendix, sessions, as stated by OWASP: “If a browser [sic: or server] does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script.” Source: https://owasp.org/www-community/HttpOnly . We would very much like to be able to set the HTTP Only flag and because this is a security-concern, we would like to ask to to enable customers to set the HTTP Only flag in their Mendix-based applications. Please let us know at what timeframe this feature will become available. Thank you for your tie and consideration. Kind regards,
Hello,
Is there a change with the "httpOnly" flag?
We need to solve this problem as well.
Can someone in Mendix promote a solution..
I assume this idea/issue still hasn't been implemented or resolved? We've had a pen-test mark this as well.
I would like to second this suggestion. One of our applications (On Studio Pro 8.17) had this flagged in a penetration test, with the following reasoning provided:
An XSS vulnerability would allow an attacker to execute their own client-side code in other users’ browsers to read the document.cookie property and send it back to the attacker, allowing them to impersonate the targeted user.
Setting the HttpOnly flag on a given cookie prevents its contents from being accessed by JavaScript code, thus preventing this attack. The XASSESSIONID cookie, used by the application to track authenticated users, did not set the HttpOnly flag upon creation.