Environment
Access Manager 4.4
Access Manager Admin Console
Situation
App scanner run against all NAM Administration Console and an alert is generated that the cookie HTTPOnly flag is not set for the /adminui path on the host.
Resolution
CSRF protection is built into NAM 4.4.1 and this is a false positive and does not effect the Admin Console. The reason for the flag was that CSRF protection cookie we set does not include the HTTPOnly flag, which the appscanner picks up as a problem. In reality, this is not a vulnerability as follows the OWASP double submit cookie approach. The token is not secret and is available via JavaScript through the cookie, but only on the same domain, and could be used only on an authenticated session (JSESSIONID has to be present too which is protected).