Enable UserCookie version 3.1 [Updated in Security Center 1.3]

Washington DC Platform security

Release

washingtondc

ft:locale

en-US

ft:publication_title

Washington DC Platform security

ft:clusterId

psec

bundleId

psec

workflow

Platform

Enable UserCookie version 3.1 [Updated in Security Center 1.3]

Release version: Washingtondc

Updated February 1, 2024

1 minute to read

Manage the version of UserCookie that is enabled on your instance to secure the storage of the secret key in the source code.

UserCookie v3 is generated only when the glide.ui.secure.cookies.use_kmf property is disabled. UserCookie v3 is not secure due to the storing of the secret key for hash-based message authentication codes (HMAC) in the source code which is identical for all customers. A bad actor can use a secret key to try to hijack user sessions. To remediate this security threat, ensure that the glide.ui.secure.cookies.use_kmf property is set to true which uses UserCookie v3.1. The secret key is stored in secure storage such as KMF.

More information


Attribute	Description
Configuration name	glide.ui.secure.cookies.use_kmf
Configuration type	System Properties (/sys_properties_list.do)
Data type	boolean
Recommended value	true
Default value	false
Category	Session management
Security risk	Severity score: 7.1 CVSS score: High Security risk details: Setting this to false is a security vulnerability due to the secret key for hash-based message authentication codes (HMAC) being stored in the source code.
Dependencies and prerequisites	None