Issue
- LFR_SESSION_STATE cookies are not marked as HttpOnly
Environment
- Liferay DXP, Liferay 6.2
Resolution
This is not a security issue because this cookie is created and used in session.js which is the portal's Javascript.
_cookieKey: 'LFR_SESSION_STATE_' + themeDisplay.getUserId()
This cookie only holds the time for when the user's session started (see getTimestamp and setTimestamp functions in the session. js).
It’s generated on the client side (in the user's browser) and is never persisted on the server side. If it is set to HttpOnly, then session handling becomes corrupted. That's why it is intended not to set this cookie to HttpOnly.
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In