Is it possible to set Secure and HttpOnly flags to (Analytics) s_cc and (Target) mbox cookies?

Description

Environment

  • Customer Journey Analytics
  • Analytics
  • Target

Issue/Symptoms

The client security team observed that HttpOnly and Secure Flags are missing for “s_cc” and mbox cookies, and this could lead to various attacks.

As Secureflag for cookies will allow the cookies only through the secure channel while the HttpOnly flag will protect the cookie from client-side scripting, failure to set those flags will make the cookies vulnerable to attacks. Also, as the Mbox cookie is persistent, it shows cookie information even after closing the browser. Using this data, an attacker could do malicious activities.

Is it possible to set Secureflag and HttpOnly flags to s_cc and mbox cookies?

Resolution

The ‘Secure’ and ‘HttpOnly’ flags cannot be set on these cookies as they would break the cookies’ functionality.

While setting these flags is necessary and important for cookies that contain sensitive data or act as authentication cookies to protect them from hijacking, s_cc and mbox cookies do not contain sensitive information. They need to be accessible by JavaScript as that is how these products access the data stored in the cookies and send it to Data Collection domains for analysis and reporting.

One option that is recommended to mitigate any concerns around the ‘Secure’ flag not being set is to use first-party SSL on Data Collection and to support the HSTS header on your domain, so all traffic is ensured to be over HTTPS, including these cookies.

On this page