Cookie security attributes

The Secure attribute is automatically set on any cookie with "-S" suffix.

To prevent scripting access and mitigate cookie stealing, Airlock session cookies have the HttpOnly flag set and are not accessible for active client-side components like JavaScript, Flash, ActiveX, Java Applets, etc. The flag is also set for load balancing cookies but not for CSRF token cookies because the CSRF protection feature can not work if the flag is set.

The flag can be disabled for the session and load balancing cookie with Security Gate Expert Settings.

The SameSite attribute is set to the enforcement mode Lax for the Airlock session cookies to prevent CSRF attacks. The SameSite mode for CSRF token cookies is set to Strict. The attribute is not set for the load balancing cookie, because this cookie is not security-critical.

The SameSite enforcement mode can be configured for all Airlock Gateway session cookies with Security Gate Expert Settings.

• Section – Cookies and (CSRF) Tokens
• Section – Application Cookies