I have had a pen test performed on my Shopify development store that highlighted an issue with an insecure cookie, specifically that the auth_state_01JAX0T5R0DWGGMGES7WGHSJBN cookie is missing ‘HttpOnly’ & ‘Secure’ flags.
Is this something that can be addressed, or is there a valid reason for the omission of these flags?
Apologies if this is posted in the wrong category, but I could not find anything more suitable.
Hello Dan,
We encountered a similar finding in a PCI Scan Report for one of our client’s stores.
The auth_state cookie functions as a session cookie, which generally means it doesn’t require the HttpOnly flag. The HttpOnly flag is typically used to prevent JavaScript access, which isn’t as necessary for session cookies that don’t hold sensitive information or persistent authentication data. Shopify manages this securely, so the cookie’s role doesn’t pose a security risk, even without this flag.
In conclusion, this seems to be a false positive in the pen test. The auth_state cookie is secure as configured, and there’s no need for concern.
Cheers,
Enrique
