PingAM

HttpOnly session cookies

To help protect against cross-site scripting (XSS) attacks, configure session cookies with the HttpOnly flag. When a cookie has this flag, browsers prevent client-side scripts from accessing it. This is an effective way to prevent attackers from stealing session information.

By default, AM enables the HttpOnly flag on its session cookies.

When the HttpOnly flag is enabled, a successful call to the /json/authenticate endpoint returns a response with an empty tokenId field. This happens because the session token is sent in the HttpOnly cookie and is not available to the script to be included in the JSON payload.

For example:

{
  "tokenId":"",
  "successUrl":"/openam/console",
  "realm":"/alpha"
}

Verify the httpOnly flag is enabled

The httpOnly flag is enabled by default. To verify that it’s enabled, follow these steps:

  1. In the AM admin UI, go to Configure > Server Defaults > Advanced.

  2. Find the com.sun.identity.cookie.httponly advanced server property and make sure it’s set to true.

  3. If you change the value, save your changes and restart AM or the container where it runs.

  4. If you have a site with multiple AM servers, verify this setting on each server.

AM also uses the Secure flag for cookies. When a request is made over HTTPS, AM adds the Secure flag to all cookies (except amlbcookie). This flag tells the browser to only send the cookie over an encrypted connection.