n1cyy (n1cyy) asked a question.
Cookie t does not have HttpOnly and secure attributes
We have an application configured with Okta login. When the login page is loaded there are cookies t and DT. During login an other cookie sid is created. In a security scan vulnerabilities were reported mentioning cookie does not have the Secure and HTTP Only attributes. In a blog previously it was mentioned that the cookie t will be remediated in future. Can you please help to let us know the impact of it not having the HttpOnly and Secure attributes. Also can you please help to let us know more details about DT and sid cookies.
Hello @n1cyy (n1cyy) Thank you for reacting out to our Community!
Please see below article and Dev forum post what discuss the same issue, from what I can see here this is intended behaviour and the explanations can be found below:
https://support.okta.com/help/s/article/Okta-SDKs-not-storing-JWTs-as-httponly-cookie?language=en_US
https://devforum.okta.com/t/cookies-without-secure-and-http-flag-set/3540
Community members help others by clicking Like or Select as Best on responses. Try it today.
Okta Identity Engine (OIE) Ask Me Anything: Get answers from product experts by clicking here.