SSPR Cookie, AuthRecord is not Secure

  • 7016882
  • 06-Oct-2015
  • 07-Oct-2015

Environment

Self Service Passwored Reset
SSPR 3.3

Situation

"authRecord" cookie sent by SSPR shows as not secure
F12 developer tools and Webinspector list authRecord cookie as not secure
What is the authRecord cookie used by SSPR and what does it do?


Resolution

There is not a way to set the cookie's secure flag, but you can configure SSPR to either ignore the cookie, or to not send it.


To ignore this cookie set "previous authentication" to "Not Used" in  Modules --> Forgotten Password --> Forgotten Password Profile --> <profile> --> Verification Methods. 


The auth record cookie is used to indicate if a user has logged in previously.  It is only used if "Verification Methods" for the forgotten password module include "previous authentication."  This cookie will not be read by SSPR unless "previous authentication" is set to required or optional.


To prevent this cookie from being sent at all, enter  http.cookie.authRecord.name  in Configuration Manager --> Settings --> Application --> App Property Overrides  as shown below:




Note:  "App Property Overrides" was made available beginning with SSPR 3.3.  For SSPR 3.2 you can prevent this cookie from being sent by manually modifying SSPRConfiguration.xml and adding:
<property key="http.cookie.authRecord.name"> </property>


CAUTION: Only use
"App Property Overrides" when directed by MicroFocus Customer Care.  The values to be entered may change from version to version and should be confirmed. The setting documented in this article pertains to SSPR 3.3.

Additional Information

The idea of 'secure' cookies can be a bit misleading.  The 'secure' flag on a cookie prevents the cookie from being sent over unsecure (http) channels.  If the channel is secure (https) then the cookie is also secure.  The flag is an extra safegaurd in case the channel is unexpectedly not secure.