KB-1189 _appianCsrfToken and __appianMultipartCsrfToken are not marked as secure cookies


While performing network vulnerability tests, users may notice the _appianCsrfToken and __appianMultipartCsrfToken are not marked as secure. Even with secure cookies designated in the web.xml file, the only cookie marked as secure is the JSESSIONID.


The cookies _appianCsrfToken and __appianMultipartCsrfToken are not marked as "HTTP Only" by design in older versions of Appian. When SSL is enabled, the cookies will be encrypted at the transport layer thus securing them.

Securing all cookies with the "HTTP Only" flag is a feature included in version 7.11 and above.


Upgrade to 7.11 to be able to secure all cookies.


Disregard your scan report results for the _appianCsrfToken and __appianMultipartCsrfToken cookies.

Affected Versions

This article applies to Appian 7.10 and earlier.

Last Reviewed: March 2017