Secure the CAM Passport Cookie

Administrators can set the HTTPOnly attribute to block scripts from reading or manipulating the CAM passport cookie during a user's session with their web browser. CAM passport identifies a user's web browser session with the server.

Malicious scripts can be inserted into the web browser using a Cross Site Scripting (XSS) attack on the server or web application of an authenticated user. Enabling the HTTPOnly attribute prevents malicious scripts from stealing a user's session identity.

When an administrator sets this attribute, the web browser can only use the session cookie to send HTTP requests to the server.

Administrators that want to enable this attribute must ensure that users have a web browser that supports the HTTPOnly attribute.

Parent topic: Server Administration