KB-1189 _appianCsrfToken and __appianMultipartCsrfToken are not marked as secure cookies

Symptoms

While performing network vulnerability tests, users may notice the _appianCsrfToken and __appianMultipartCsrfToken are not marked as secure. Even with secure cookies designated in the web.xml file, the only cookie marked as secure is the JSESSIONID.

Cause

The cookies _appianCsrfToken and __appianMultipartCsrfToken are not marked as "HTTP Only" by design in older versions of Appian. When SSL is enabled, the cookies will be encrypted at the transport layer thus securing them.

Securing all cookies with the "HTTP Only" flag is a feature included in version 7.11 and above.

Action

Upgrade to 7.11 to be able to secure all cookies.

Workaround

Disregard your scan report results for the _appianCsrfToken and __appianMultipartCsrfToken cookies.

Affected Versions

This article applies to Appian 7.10 and earlier.

Last Reviewed: March 2017

Related
Recommended