Enabling HTTPOnly cookies with Linux Access Gateway

Document ID:7000465
Creation Date:23-May-2008
Modified Date:26-Apr-2012
- Micro Focus Products:
  Access Manager (NAM)

Environment

Novell Access Management 3 Linux Access Gateway

Situation

Since the release of Internet Explorer 6 SP1, some security enhancements were added to the IE logic to prevent setting of cookies using standard APIs and, more importantly, preventing cross scripting attacks. By implementing the HTTPOnly cookie attribute when setting the session cookie, one can prevent any access to session cookie from within a script.

If the HttpOnly attribute is included in the response header, the cookie is still sent when the user browses to a Web site in the valid domain. The cookie cannot be accessed through a script in Internet Explorer 6 SP1, even by the Web site that set the cookie in the first place. This means that even if a cross-site scripting bug exists, and the user is tricked into clicking a link
that exploits this bug, Windows Internet Explorer does not send the cookie to a third party. The information is safe.

http://msdn.microsoft.com/en-us/library/ms533046.aspx orhttp://www.ush.it/2006/07/28/httponly-cookies-and-mozilla-firefox/ includes more details on this.

Resolution

With the release of Access Manager 3 Support Pack3 IR1, we have the ability to set this cookie on the Linux Access Gateway by creating/touching the file /var/novell/.EnableHttpOnlyCookie. When this file exists, the session cookie sent down to the browser from the Linux Access Gateway will include the HTTPOnly attribute.

The Linux Access Gateway must be restarted in order to get the desired functionality. Use the following command to restart when a touch file is created or removed:

/etc/init.d/novell-vmc stop
/etc/init.d/novell-vmc start