Adding the Secure Attribute on a Cookie
Chances are you arrived at this page because of a security scan that is requiring you to ensure that there is a “secure” attribute attached with all your cookies in your application. You may ask, well my application is using SSL already to why am I forcing these cookies to send over SSL if that’s all that I am using? The quick answer is double protection. To limit potential errors that may arise because of SSL issues, it is important to ensure that all cookies are being forcefully sent over SSL. Is this “secure” tag a huge concern if your application is using HTTPS? Not really but it definitely is something that should be fixed especially considering how easy it is to. Fortunately this is fairly easy to remediate and most of the time can take place at the server side.
Picture from: http://image.slidesharecdn.com/cookiereplayattack-unitwisepresentation-140612002225-phpapp02/95/cookie-replay-attack-unit-wise-presentation-8-638.jpg?cb=1402532621
What we are looking to do here is to add a “secure” attribute to the cookies that are being sent in the response.
To add the secure attribute on a cookie that is running ASP.NET or to add this attribute on an IIS server you should be able to simply edit the web.config. Here you can simply change where the it says <httpCookies requireSSL=”false” /> and simply change this to true and this will satisfy your security scan.
For Oracle Weblogic it is likely that you are already seeing the WL_AUTHCOOKIE_JSESSIONID cookie with that “secure” attribute. This is set by default. To add this attribute to other cookies add the <cookie-secure>true</cookie-secure> tag in the <session-descriptor> part of the config.xml
To add secure attributes to the cookies in Oracle iPlanet simply go to the web-apps.xml and you will see a “is secure” attribute for the cookie in question. This will by default be set to false, to fix just change this to true.
For Apache the fix varies a little bit. In general as a good starting point make sure that your application has the mod_headers.so enabled. Once this is good go ahead and add the following into the httpd.conf
Header edit Set-Cookie ^(.*)$ $1;Secure
For versions below 2.2.4 (which if your fixing this…well…let’s just say you shouldn’t be on 2.2.4)
Header set Set-Cookie Secure