A.5 HttpOnly Command

Purpose

Novell Remote manager sets an HttpOnly cookie attribute that specifies that the cookie is not accessible through a script. This helps mitigate the risk of cross-site scripting.

Syntax

If the HttpOnly flag is included in the HTTP response header, the cookie cannot be accessed through a client side script.

If you modify the setting, you must restart Novell Remote Manager.

HttpOnly <true|false>

Option

Use

true

Include HttpOnly as an attribute in the response header.

This is the default setting.

false

Do not include HttpOnly in the response header.

To disable the HttpOnly attribute:

  1. Log in to the server as the root user, then open a terminal console.

  2. Stop the httpstkd daemon by entering

    rcnovell-httpstkd stop
    
  3. Open the /etc/opt/novell/httpstkd.conf file in a text editor.

  4. Review the potential security concerns for changing HttpOnly to false.

  5. Change the setting from

    HttpOnly true
    

    to

    HttpOnly false
    
  6. Save the file and exit the text editor.

  7. Start the httpstkd daemon by entering

    rcnovell-httpstkd start
    

Examples

HttpOnly true
HttpOnly false