IBM Support

IT02094: THE APPLICATION SESSION TOKEN DOES NOT HAVE THE HTTPONLY ATTRIBUTE SET WHEN IT IS CREATED

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as fixed if next.

Error description

  • The application session token does not have the "HttpOnly"
    attribute set when it is created. The session token is set
    without the 'HttpOnly' attribute meaning that client-side
    scripts, such as JavaScript, can access it. As such, any
    Cross-site Scripting (XSS) vulnerabilities within
    theApplication that allow for the injection of JavaScript can
    be used to hijack the victim s session.
    

Local fix

  • Not available
    

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    IT02094

  • Reported component name

    DATAPOWER

  • Reported component ID

    DP1234567

  • Reported release

    402

  • Status

    CLOSED FIN

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-05-28

  • Closed date

    2014-07-01

  • Last modified date

    2014-07-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

  • R700 PSN

       UP



Document information

More support for: IBM DataPower Gateways
General

Software version: 4.0.2

Reference #: IT02094

Modified date: 01 July 2014