Reset Search



KB16127 - HTTPOnly and the Pulse Connect Secure (QID: 150045)

« Go Back


Last Modified Date8/1/2015 10:48 PM
At times, HTTPOnly is suggested as a possible defense against session cookie theft. The HTTPOnly flag is an option that was first introduced by Microsoft in Internet Explorer 6. It is intended to make a cookie inaccessible to client side scripts.
Problem or Goal
  • Certain penetration testing solutions will flag an issue on the Pulse Connect Secure, as PCS does not use HTTPOnly
  • For more information about HTTPOnly, refer to the following link:
In Pulse Connect Secure and Pulse Policy Secure 9.0R3 or above, a new HTTPOnly session cookie option is available.

This option will create a new session cookie with HTTPOnly attribute along with DSID session cookie. The new session cookie along with DSID will be needed to restore a user session.

To enable this option, navigate to Users > User Roles > Select Role > Session Option. Under HTTP Only Device Cookie, select Enabled.

Please note, when enabling this option, only the new session cookie will have the HTTPOnly attribute.  All other cookies will not included the HTTPOnly attribute.  Security scanners will report these additional cookies are missing the HTTPOnly attribute and can be considered a false-positive. 

Related Links
Attachment 1 
Created ByData Deployment



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255