Set saml_request_path cookie as httponly & secure

Question

Hello Team, Can someone let me know how to set the saml_request_path cookie as httponly and secure in aem . Our website was given for webscan and this is the response that we got in webscan report.

Attack Request:

POST /saml_login HTTP/1.1

Host: <myhost>

Connection: keep-alive

Content-Length: 10825

Cache-Control: max-age=0

Origin: <>

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

...

..

etc

&

Attack Response:

HTTP/1.1 302 Found

Cache-Control: no-cache, no-store, must-revalidate

Keep-Alive: timeout=5, max=100

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Location: https://<myapp>.html

Server: XYZ

Set-Cookie: login-token=abcde%3acrx.default; Path=/; HttpOnly; Secure

Set-Cookie: saml_request_path="";Version=1;Path=/;Expires=Tue, 17-Jul-2018 11:08:09 GMT;Max-Age=1

X-Content-Type-Options: nosniff

wimsymonsvrt · Accepted Answer

Make sure your sslfilter is configured correctly if you are using ssl termination in the dispatcher or load balancer.

See AEM redirecting user back to http if accessed through SSL terminated Load Balancer for details.

We experienced the same issue. When the sslfilter is set correctly, the cookie becomes secure as well.

wimsymonsvrt · Answer

Do I need to mention your site should be on https?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded