Qualy’s WAS picked up one XSS security vulnerability and two information disclosure warnings, but HPE’s Fortify didn’t find anything vulnerable. It would be interesting to find out why, but I am not gonna cover that today. Today I would like to talk about one of the information disclosure warning titled Session Cookie Does Not Contain the “Secure” Attribute and how to fix it.
The fix to this vulnerability is actually very simple. In the web.config file of your ASP.NET web application, add this line of code inside <system.web> section:
<httpCookies httpOnlyCookies="true" requireSSL="true" />
But, if you use Forms authentication, then you will also need to add requireSSL attribute in the <forms> tag:
<forms ... requireSSL="true" />
Now if you scan your application again, the Information Disclosure vulnerability warning should go away.