FAQ on CSRF-related cookies in ADSelfService Plus
This FAQ section covers common questions about the adscsrf and _zcsr_tmp cookies used in ADSelfService Plus. It aims to explain their role in cross-site request forgery (CSRF) protection and overall portal functionality, and clarifies any security concerns related to the absence of the HttpOnly flag.
FAQ
Q: Why are some cookies in ADSelfService Plus not set as HttpOnly?
A: The adscsrf and _zcsr_tmp cookies are used as CSRF tokens. For CSRF protection to work, these cookies must be accessible to client-side scripts (JavaScript) so they can be included in request headers and validated by the server. Setting the HttpOnly flag would prevent this access and break the intended functionality.
A: The adscsrf and _zcsr_tmp cookies are used as CSRF tokens. For CSRF protection to work, these cookies must be accessible to client-side scripts (JavaScript) so they can be included in request headers and validated by the server. Setting the HttpOnly flag would prevent this access and break the intended functionality.
Q: Do cookies without the HttpOnly flag pose a security risk?
A: These cookies are not used for session management or to store sensitive authentication data. Their sole purpose is to enable CSRF protection, so not marking them as HttpOnly does not introduce a security risk to the application in this context.
A: These cookies are not used for session management or to store sensitive authentication data. Their sole purpose is to enable CSRF protection, so not marking them as HttpOnly does not introduce a security risk to the application in this context.
Q: Can the adscsrf and _zcsr_tmp cookies be set as HttpOnly?
A: No. Setting them as HttpOnly would prevent JavaScript from reading these values, which is necessary to submit them with requests for proper CSRF validation by the server. This is standard in web applications implementing CSRF protection mechanisms.
A: No. Setting them as HttpOnly would prevent JavaScript from reading these values, which is necessary to submit them with requests for proper CSRF validation by the server. This is standard in web applications implementing CSRF protection mechanisms.
Q: What are best practices for cookies used in CSRF protection?
A:
A:
CSRF token cookies should be accessible to client-side code (i.e., should not be HttpOnly).
Ensure these cookies are only used for CSRF protection and do not carry sensitive session data.
Use Secure and SameSite attributes where possible to further limit risk.
New to ADSelfService Plus?
Related Articles
How to migrate the ADSelfService Plus installation from one machine to another
Description This article will guide you through the process for migrating the ADSelfService Plus installation from one machine to another. Important: Before you start the migration process, please update your ADSelfService Plus installation to the ...Change the default ADSelfService Plus admin password to improve security
Description By default, ADSelfService Plus has default admin account. This account has all the privileges and access to the ADSelfService Plus admin console. The default admin account uses the word admin as the username and the password. It is highly ...ADSelfService Plus product startup issues
What do you need to know before troubleshooting You need to have administrator access to ADSelfService Plus. When you experience an error with ADSelfService Plus, check if these prerequisites are satisfied: Install ADSelfService Plus as a service ...Bind ADSelfService Plus to run on a specific virtual IP address
Description You can configure ADSelfService Plus to run on specific IP address. Resolution Step 1: Create a virtual IP Address on the machine where ADSelfService Plus is running. Start → Settings → Control Panel → Open Network connection. Right click ...Multi-factor authentication techniques in ADSelfService Plus
Let's take a look into the various authentication methods supported by ADSelfService Plus for enterprise multi-factor authentication (MFA). Why should you use MFA? Authentication based solely on usernames and passwords is no longer considered secure. ...