HttpOnly for cookies in IBM Cognos Business Intelligence (BI)

Question & Answer

Question

Does IBM Cognos Analytics support the HttpOnly cookie attribute?

Answer

As part of a defense in depth strategy for system security, IBM Cognos Analytics supports setting the HttpOnly attribute on the session cookie that is used for user authentication. This cookie is named cam_passport. The HttpOnly setting instructs the users Internet Browser to not allow scripts to access the cookie and is intended to help mitigate the risk of a malicious attacker trying to impersonate a legitimate user. More details about HttpOnly are available at https://www.owasp.org/index.php/HttpOnly . Steps on configuring the IBM Cognos application to set the attribute are documented in the Administration and Security Guide.

The cam_passport is one of several cookies used in the IBM Cognos application, but is the only one that is used explicitly for user authentication. As part of the architectural design of the application the HttpOnly attribute is not applied to the other cookies, as they legitimately need to be accessed by the Browser scripts that help form the applications user interface.

[{"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"11.0","Edition":"All Editions","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Tips

HttpOnly for cookies in IBM Cognos Business Intelligence (BI)

Question & Answer

Question

Answer

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?