KNOWLEDGE BASE

Security Scans Indicate HttpOnly Attribute Not Set for XSRF-TOKEN Cookies


Published: 23 Nov 2015
Last Modified Date: 30 Mar 2017

Issue

When performing a security scan of the computer running Tableau Server, the scan results might state that XSRF-TOKEN cookies for the site do not have the HttpOnly attribute set.

Environment

Tableau Server

Resolution

No action necessary, this behavior is by design.
 

Cause

​For protection, the session_id cookie has HttpOnly in place. Authentication cannot be completed with the XSRF-TOKEN alone and is successful only when XSRF-TOKEN is paired with the protected session_id cookie. 
Did this article resolve the issue?