KB16127 - HTTPOnly and the Pulse Connect Secure (QID: 150045)

At times, HTTPOnly is suggested as a possible defense against session cookie theft. The HTTPOnly flag is an option that was first introduced by Microsoft in Internet Explorer 6. It is intended to make a cookie inaccessible to client side scripts.

In Pulse Connect Secure and Pulse Policy Secure 9.0R3 or above, a new HTTPOnly session cookie option is available.

This option will create a new session cookie with HTTPOnly attribute along with DSID session cookie. The new session cookie along with DSID will be needed to restore a user session.

To enable this option, navigate to Users > User Roles > Select Role > Session Option. Under HTTP Only Device Cookie, select Enabled.

Please note, when enabling this option, only the new session cookie will have the HTTPOnly attribute.  All other cookies will not included the HTTPOnly attribute.  Security scanners will report these additional cookies are missing the HTTPOnly attribute and can be considered a false-positive.