Severity: Medium

Description: The SASLogon application in SAS^® 9.4 does not set the HttpOnly attribute to a session cookie (CASTGC cookie).

Potential Impact: The session ID in the cookie might be read by JavaScript if an XSS flaw exists.

As a workaround, you can follow these steps to enable the HttpOnly attribute:

1. Open the SAS-configuration-directory/Lev1/Web/WebAppServer/SASServer1_1/sas_webapps/sas.svcs.logon.war/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml file in a text editor.
2. Add the p:cookieHttpOnly="true" attribute to the <bean id="ticketGrantingTicketCookieGenerator"> directive as shown below, and save the file:

3. Restart the SAS Web Application Server instances.

This issue is fixed in SAS^® 9.4M8 (TS1M8). A hot fix is not planned for SAS^® 9.4M7 (TS1M7) and earlier maintenance releases.

Operating System and Release Information