Arrowpoint cookie HTTP Only flag set.

Unanswered Question
Jan 23rd, 2008
User Badges:

Hi All,

I have a site running an application on which we have identified a vulnerability we wish to close. The CSS11501 is using the advance balance arrowpoint cookie method, however tests are showing that the HTTP only parameter is not set. I am unable to find a way of doing this at present. Does anyone know how to acheive this?

Until I can do so there is a remote possibilty I am leaving my application open to cross site scripting attacks.

Microsoft use the HTTPOnly cookie option which sets a HTTPOnly flag. he following url has some information for review.

Thanks in advance for your help.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Wed, 01/23/2008 - 23:08
User Badges:
  • Cisco Employee,


your security test tool assume the CSS is a webserver and therefore complains when seeing some missing *flag*.

However, you won't be able to attack the CSS with whatever method that works against a webserver.

We have our own onboard DOS feature.

So, there is no option to use this microsoft HTTPOnly flag because there is no need for it.

Make sure the servers behind the CSS are protected and have your HTTPOnly flag.


alfiesummers Thu, 01/24/2008 - 02:02
User Badges:


Thanks for taking the time to respond.

Our web servers are already configured as you suggest. As such I guess we are OK if the onboard features prevent this type of attack.

Best Regards,



This Discussion