Enable HTTP Only flag

Question

Enable HTTP Only flag

30

Dear Mendix,

Unfortunately Mendix does not support de “HTTP Only flag”. This allows Mendix cookies to be accessed by other, non-Mendix, sessions, as stated by OWASP: “If a browser [sic: or server] does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script.” Source: https://owasp.org/www-community/HttpOnly . We would very much like to be able to set the HTTP Only flag and because this is a security-concern, we would like to ask to to enable customers to set the HTTP Only flag in their Mendix-based applications. Please let us know at what timeframe this feature will become available. Thank you for your tie and consideration. Kind regards,

asked 2020-12-04

Oscar Dijksman

6 answers

Alisa Frelia · Answer 1 · 2025-02-19

originURI cookie is intentionally non-secure. It does not contain any sensitive information.

Please, do not try to rewrite it or mark as HttpOnly as it will affect the functionality of your application.

Here is the full list of cookies used by Mendix and information about their security https://docs.mendix.com/refguide/mendix-client/#cookies

Aiham Obaidat · Answer 2 · 2025-02-19

Most likely this vulnerability is found on the Origin URL, including Login.html, This can be fixed by adding something like this in the Login.html file

Now the login.html file is controlled by the index.html file. So, you need to follow below steps to fix:

1. Open the URL/index.html and take all the response content of this page (XML).

2. Take a full copy of the xml and in your Studio pro project on your local, go the theme/web and create a file with the name index.html and paste the content of the XML you've copied in it.

3. Just add this to the script "HttpOnly=true" as shown below:

4. Commit and deploy the code.

Note: If you are using IIS, adding this value in the web.config "<httpCookies httpOnlyCookies=”true” /> " won't fix it. but there's no harm with adding it.

Przemyslaw Pazik · Answer 3 · 2024-08-21

Hi all, is there any update on this - it was also highlighted on our tests but to be specific it's ONLY about originURI cookie (request cookie to be fair).

Lital Sherman · Answer 4 · 2022-09-04

Hello,
Is there a change with the "httpOnly" flag?
We need to solve this problem as well.
Can someone in Mendix promote a solution..

Jim Schoorl · Answer 5 · 2022-05-24

I assume this idea/issue still hasn't been implemented or resolved? We've had a pen-test mark this as well.

Rob Murray · Answer 6 · 2021-03-17

I would like to second this suggestion. One of our applications (On Studio Pro 8.17) had this flagged in a penetration test, with the following reasoning provided:

An XSS vulnerability would allow an attacker to execute their own client-side code in other users’ browsers to read the document.cookie property and send it back to the attacker, allowing them to impersonate the targeted user.
Setting the HttpOnly flag on a given cookie prevents its contents from being accessed by JavaScript code, thus preventing this attack. The XASSESSIONID cookie, used by the application to track authenticated users, did not set the HttpOnly flag upon creation.