CSCvt31126 - ENH allow http-only-cookie for web connection
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2020 12:03 PM - edited 11-19-2020 12:03 PM
anybody else have this issue or know the patch from Cisco? i have not see anything from Cisco for this bug.
thanks
- Labels:
-
Cisco Bugs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2023 07:08 AM
Internal vulnerability scanner picked up this vulnerability and have been looking for a resolution as well.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2024 10:20 AM
This issue has been carried over from the ASAs, Cisco Bug: CSCvt31126 - ENH: allow http-only-cookie for web connection
On the ASA they had a fix for it but apparently no workaround for the FTDs. Also, the severity was lowered from 2 Severe to 6 Enhancement go figure! I opened a TAC case for it even thought I doubt they will have a fix.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2024 10:33 AM
Hey Aomar, Did you receive any response from Cisco? I am having a similar problem like this case.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2024 12:43 PM
Yes, with the FTDs you need to use FlexConfig, first you need to create a Flex Object than attach it to the device FlexConfig Policy here is how the object looks like:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-29-2024 06:30 AM - edited 05-29-2024 06:31 AM
Aomar, I tried with the flex config policy, one of the situations that occurred to me is that when applying it once we performed another deploy the policy disappeared, for this problem is that in the Deployment field we must add Everytime, but apart from this we realized that by enabling the policy we would lose the anyconnect download Portal over the internet, so we decided it was better not to apply it after all. But anyway, thank you very much Aomar.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2024 09:22 AM - edited 06-07-2024 09:23 AM
I have tried creating this flexconfig item, but each time I deploy, I get the following error:
error :
@httpOnly
^
ERROR: % Invalid input detected at '^' marker.
Config Error -- @httpOnly
Any idea what I am doing wrong?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2024 10:35 AM
Hey @cball111
I don´t know exactly the reason of the error, but try adding the "conf t" coommand at the beginning, example:
configure terminal
webvpn
httpOnly
Or instead try with this:
webvpn
http-only-cookie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2024 10:59 AM
Configure Terminal also produced an error. However, the second option works!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2024 05:54 AM
We will be providing a UI option to enable the 'HTTP Only Flag' in FMC 7.7, which is the targeted release for next year.
