Security Vulnerability

[mohan reddy]

SM-7 Missing secure flag on session ID 

In secure HTTPS applications, cookies must have the “Secure” flag set. The “Secure” flag informs browsers that a cookie should only be sent on connections that are encrypted with SSL. 

Without the “secure” flag, the non-encrypted HTTP domain for the application receives same-origin access to cookies set by the secure HTTPS domain; browsers will send unencrypted plaintext copies of cookies without the “secure” flag. 

Because any attacker on the Internet can fake the non-encrypted HTTP domain (it’s the encryption provided by TLS in HTTPS that prevents that from happening), and because cookies usually form the core of the authentication and authorization model of a web application, failing to set the “Secure” flag negates much of the security provided by SSL. 

RECOMMENDATION: Consult framework documentation to set the “Secure” flag on the cookie. Setting the “Secure” flag is usually simple; the framework may have a configuration setting that ensures all cookies are “Secure”, almost always provides a configuration option to ensure the Session cookie is “Secure”, and will usually offer the “Secure” flag as an option on the line of code that creates any given cookie.