Question & Answer
Question
Does IBM Cognos Analytics support the HttpOnly cookie attribute?
Answer
As part of a defense in depth strategy for system security, IBM Cognos Analytics supports setting the HttpOnly attribute on the session cookie that is used for user authentication. This cookie is named cam_passport. The HttpOnly setting instructs the users Internet Browser to not allow scripts to access the cookie and is intended to help mitigate the risk of a malicious attacker trying to impersonate a legitimate user. More details about HttpOnly are available at https://www.owasp.org/index.php/HttpOnly . Steps on configuring the IBM Cognos application to set the attribute are documented in the Administration and Security Guide.
The cam_passport is one of several cookies used in the IBM Cognos application, but is the only one that is used explicitly for user authentication. As part of the architectural design of the application the HttpOnly attribute is not applied to the other cookies, as they legitimately need to be accessed by the Browser scripts that help form the applications user interface.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21996176