Is it possible to set Secure and HttpOnly flags to (Analytics) s_cc and (Target) mbox cookies?

The Secure and HttpOnly flags cannot be set on (Analytics) s_cc and (Target) mbox cookies as this would break the cookies’ functionality.

Description description

Environment

Issue/Symptoms

The client security team observed that HttpOnly and Secure Flags are missing for “s_cc” and mbox cookies, and this could lead to various attacks.

As Secureflag for cookies will allow the cookies only through the secure channel while the  HttpOnly flag will protect the cookie from client-side scripting, failure to set those flags will make the cookies vulnerable to attacks. Also, as the Mbox cookie is persistent, it shows cookie information even after closing the browser. Using this data, an attacker could engage in malicious activities.

Is it possible to set Secureflag and HttpOnly flags to s_cc and mbox cookies?

Resolution resolution

The ‘Secure’ and ‘HttpOnly’ flags cannot be set on these cookies as they would break the cookies’ functionality.

While setting these flags is necessary and important for cookies that contain sensitive data or act as authentication cookies to protect them from hijacking, s_cc and mbox cookies do not contain sensitive information. They need to be accessible by JavaScript as that is how these products access the data stored in the cookies and send it to Data Collection domains for analysis and reporting.

One option that is recommended to mitigate any concerns around the ‘Secure’ flag not being set is to use first-party SSL on Data Collection and to support the HSTS header on your domain, so all traffic is ensured to be over HTTPS, including these cookies.