| VID |
210183 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.
* References:
https://www.owasp.org/index.php/SecureFlag
http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)
* Platforms Affected:
Any operating system Any version |
| Recommendation |
*Java
Servlet 3.0 (Java EE 6) introduced a standard way to configure secure attribute for the session cookie, this can be done by applying the following configuration in web.xml
[web.xml]
<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
*Tomcat
In Tomcat 6 if the first request for session is using https then it automatically sets secure attribute on session cookie.
[Setting it as a custom header]
For older versions the workaround is to rewrite JSESSIONID value using and setting it as a custom header. The drawback is that servers can be configured to use a different session identifier than JSESSIONID.
String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure");
*PHP
For session cookies managed by PHP, the flag is set either permanently in php.ini PHP manual on SecureFlag through the parameter:
session.cookie_secure = True |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
