Reset Search
 

 

Article

KB16127 - HTTPOnly compatibility with Pulse Connect Secure (QID: 150045)

« Go Back

Information

 
Last Modified Date8/1/2015 10:48 PM
Synopsis

HTTPOnly compatibility on Pulse Connect Secure (QID: 150045)

This article explains the compatibility of HTTPOnly on Pulse Connect Secure (QID: 150045).

At times, the HTTPOnly is suggested as a possible defense against session cookie theft. The HTTPOnly flag is an option that was first introduced by Microsoft in Internet Explorer 6 and it is now supported by major browser vendors. It is intended to make a cookie inaccessible to client-side scripts.  For security best practice, please refer to KB29805 - Pulse Connect Secure: Security configuration best practices

Starting 9.0R3 version onwards, Pulse Secure introduced an option HTTP Only Device Cookie to PCS and PPS. The option is disabled by default for wider compatibility support. 

Note: The option only works with Pulse Desktop client running version 9.1R5 onward, it is not compatible with the previous versions of Pulse Desktop client.
Problem or Goal
Certain penetration testing solutions will flag an issue on the Pulse Connect Secure, as PCS does not use HTTPOnly. The DSDID feature is incompatible with older versions to 9.1R5 Pulse Desktop and Pulse Mobile clients. 

Example:
A Pulse Desktop 9.1R4 client does not provide a DSDID cookie. If PCS is configured to require DSDID cookies, a Pulse Desktop 9.1R4 client will not work.

For more information about HTTPOnly, refer to https://owasp.org/www-community/HttpOnly
Cause
Solution
The new HTTPOnly session cookie option will create a new session cookie with HTTPOnly attribute and DSID session cookie. The new session cookie along with DSID will be needed to restore a user session. By default, this option will be disabled.

To enable this option, follow the below steps:
  1. Navigate to Users > User Roles 
  2. Select the desired role 
  3. Select Session Option
  4. Under HTTP Only Device Cookie, select Enabled

Pulse Connect Secure / Pulse Policy Secure 9.1R5 version is compatible with all features and clients.
 
Best Practice:
As a best practice, it is recommended to upgrade the Pulse Secure Desktop Client to 9.1R5 and above before enabling HTTP Only Device Cookie for client enabled roles.

Note:
When enabling this option, only the new session cookie will have the HTTPOnly attribute.  All other cookies will not include the HTTPOnly attribute.  
Security scanners will report these additional cookies as missing the HTTPOnly attribute and can be considered a false-positive. 
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255