<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

OAuth Cookies Not Set to HttpOnly

Okta Classic Engine
Okta Identity Engine
SDKs & Libraries

Overview

This article discusses the purpose of the okta-oauth-nonce, okta-oauth-redirect-params, and okta-oauth-state cookies set by Okta's JavaScript libraries and why they are not set to HttpOnly.

browser cookies

Applies To

Cause

When Okta's JavaScript libraries are used to complete the login flow for an OpenID Connect (OIDC) application, it will store parameters used to complete the flow within the following cookies:

  • okta-oauth-nonce
  • okta-oauth-redirect-params
  • okta-oauth-state

These cookies are used to track parameters used in the OpenID Connect flow (for example, Authorization Code Flow) so that the application is able to persist these values. 

Solution

As these cookies are being set and then read by the Okta JavaScript libraries, they must not be set to HttpOnly so they can be used by the library to complete the user login flow. If the cookies were set to HttpOnly, it would not be possible for the JavaScript libraries to read them to complete the OpenID Connect flow.

 

Related References

Loading
Okta Support - OAuth Cookies Not Set to HttpOnly