Session Cookie Does Not Contain the “Secure” Attribute


Recently we scanned one of our web applications by two famous source code analysis tools: Qualy’s Web Application Scanning tool and HPE’s Fortify Static Code Analyzer, but the results are different.

Qualy’s WAS picked up one XSS security vulnerability and two information disclosure warnings, but HPE’s Fortify didn’t find anything vulnerable. It would be interesting to find out why, but I am not gonna cover that today. Today I would like to talk about one of the information disclosure warning titled Session Cookie Does Not Contain the “Secure” Attribute and how to fix it.

If your web application uses cookies, then the data stored in cookies can be intercepted and recovered by unauthorized users if the data is transmitted over HTTP connection, thus causing the information disclosure. To prevent this, a “secure” flag can be set on the cookie and the flag will tell the browser to only transmit cookies over HTTPS connection, not over HTTP connection.

The fix to this vulnerability is actually very simple. In the web.config file of your ASP.NET web application, add this line of code inside <system.web> section:

 <httpCookies httpOnlyCookies="true" requireSSL="true" />

But, if you use Forms authentication, then you will also need to add requireSSL attribute in the <forms> tag:

<forms ...  requireSSL="true" />

Now if you scan your application again, the Information Disclosure vulnerability warning should go away.

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz