THE INFORMATION IN THIS ARTICLE APPLIES TO:
- EFT Server, version 6.4.0 and later
- Mail Express, version 3.x and later
The server issued one or more cookies that did not have the HttpOnly flag set.
You should also note that setting the HttpOnly flag does not guarantee that a cookie cannot be read by an attacker. Researchers have found at least one method to beat the HttpOnly flag using a technique called Cross Site Tracing (XST), which exploits the HTTP TRACE method. The good news is that EFT Server’s HTTP engine does not support the TRACE method, thus rendering that particular attack vector nil (at least for those cookies protected by the HTTPOnly flag).