Is it possible to set Secure and HttpOnly flags to (Analytics) s_cc and (Target) mbox cookies?

Description

Client security team observed that HttpOnly and Secure Flags are missing for “s_cc” and mbox cookies and this could lead to various attacks.

As Secureflag for cookie will allow the cookies only through secure channel while HttpOnly flag will protect the cookie from client side scripting, failure to set those flags will make the cookies vulnerable to attacks. Also, as Mbox cookie is persistent, even after closing the browser it shows cookie information, using this data an attacker could do malicious activities.

Is it possible to set Secureflag and HttpOnly flags to s_cc and mbox cookies?

Resolution

We cannot set the ‘Secure’ and ‘HttpOnly’ flags on these cookies as it would break their functionality.

While setting these flags is necessary and important for cookies that contain sensitive data or act as authentication cookies to protect them from hijacking, s_cc and mbox cookies do not contain sensitive information, and need to be accessible by Javascript as that is how these products access the data stored in the cookies and send it to Data Collection domains for analysis and reporting.

One option we recommend to mitigate any concerns around ‘Secure’ flag not being set, is to use first-party SSL on Data Collection and to support the HSTS header on your domain, so all traffic is ensured to be over https, including these cookies.

On this page