HTTPOnly compatibility on Pulse Connect Secure (QID: 150045)
This article explains the compatibility of HTTPOnly on Pulse Connect Secure (QID: 150045).
At times, the HTTPOnly is suggested as a possible defense against session cookie theft. The HTTPOnly flag is an option that was first introduced by Microsoft in Internet Explorer 6 and it is now supported by major browser vendors. It is intended to make a cookie inaccessible to client-side scripts. For security best practice, please refer to KB29805 - Pulse Connect Secure: Security configuration best practices.
Starting 9.0R3 version onwards, Pulse Secure introduced an option HTTP Only Device Cookie to PCS and PPS. The option is disabled by default for wider compatibility support.
Note: The option only works with Pulse Desktop client running version 9.1R5 onward, it is not compatible with the previous versions of Pulse Desktop client. |