<-- Back

Cookies Missing Security Attributes

Issue

Cookies set in Mendix applications are missing the Secure and HTTPOnly attributes.

Environment

Applications hosted in Mendix Cloud 

Cause

Security scanning tools can report vulnerabilities in the way Mendix handles cookies. For example, that cookies are insecure or vulnerable, or have improper or missing attributes. One common concern is that end-users can use tools in their browsers or on their devices to change the data which is held locally and use this to get access to information which should not be available to them.

Setting the Secure attribute in a cookie prevents clients from transmitting that cookie over unencrypted communication channels. A browser that supports this setting will always use the HTTPS protocol to send cookies with the Secure flag to pages. It's never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can't access it easily.

A cookie with the HTTPOnlyattribute can't be accessed by JavaScript, it can only be accessed when it reaches the server. This precaution helps mitigate cross-site scripting (XSS) attacks.

For more information, refer to the Security section of MDN's documentation on cookies.

Solution/Workaround

These security scanning tools regularly flag certain cookies in Mendix apps that do not have the Secure and HTTPOnly attributes. The following provides an explanation on why these findings are being reported, and why they are not a cause for concern:

Cookie Missing Secure Attribute

Mendix sets the Secure attribute on cookies by default. The only exception is the cookie mx-cookie-test. This is a cookie that Mendix temporarily sets to verify whether we have access to cookies. This helps us determine whether we need to warn the end-user that they need to enable them, as Mendix heavily relies on cookies to function. For more information, please refer to the Cookies section of our Mendix Client documentation.

Cookie Missing HTTPOnly Attribute

In Mendix Cloud, (almost all) cookies have the HTTPOnly attribute set to true by default. 

For Mendix applications, the Cookies have the HTTPOnly attribute set to true when they are set by the Mendix Runtime. Cookies which are set by the Mendix Client can’t have the HTTPOnly attribute set to true, as those cookies are not available to JavaScript, which is the language used by the Mendix Client.

Cookies set by the Mendix Runtime, which may contain sensitive information such as the session ID, always have the HTTPOnly flag set to true. Cookies set by the Mendix Client with HTTPOnly set to false will never contain any sensitive information.

For more information, refer to our Frequently Asked Questions - Security documentation.

Internal information related

  • 172701, 210332, 211435, 224119, 233399

Additional information 

Have more questions? Submit a request

0 Comments

Article is closed for comments.

To provide feedback, please open a ticket here. Don't forget to include the article's URL along with the feedback you would like to provide.