Adding the Secure Attribute on a Cookie

Adding the Secure Attribute on a Cookie

Chances are you arrived at this page because of a security scan that is requiring you to ensure that there is a “secure” attribute attached with all your cookies in your application. You may ask, well my application is using SSL already to why am I forcing these cookies to send over SSL if that’s all that I am using? The quick answer is double protection. To limit potential errors that may arise because of SSL issues, it is important to ensure that all cookies are being forcefully sent over SSL. Is this “secure” tag a huge concern if your application is using HTTPS? Not really but it definitely is something that should be fixed especially considering how easy it is to. Fortunately this is fairly easy to remediate and most of the time can take place at the server side.


Picture from:

What we are looking to do here is to add a “secure” attribute to the cookies that are being sent in the response.


To add the secure attribute on a cookie that is running ASP.NET or to add this attribute on an IIS server you should be able to simply edit the web.config. Here you can simply change where the it says <httpCookies requireSSL=”false” /> and simply change this to true and this will satisfy your security scan.


Oracle Weblogic

For Oracle Weblogic it is likely that you are already seeing the WL_AUTHCOOKIE_JSESSIONID cookie with that “secure” attribute. This is set by default. To add this attribute to other cookies add the <cookie-secure>true</cookie-secure> tag in the <session-descriptor> part of the config.xml




Oracle iPlanet

To add secure attributes to the cookies in Oracle iPlanet simply go to the web-apps.xml and you will see a “is secure” attribute for the cookie in question. This will by default be set to false, to fix just change this to true.



For Apache the fix varies a little bit. In general as a good starting point make sure that your application has the enabled. Once this is good go ahead and add the following into the httpd.conf

Header edit Set-Cookie ^(.*)$ $1;Secure

For versions below 2.2.4 (which if your fixing this…well…let’s just say you shouldn’t be on 2.2.4)

Header set Set-Cookie Secure


54 thoughts on “Adding the Secure Attribute on a Cookie”

  1. I’ve been browsing on-line greater than 3 hours
    lately, but I by no means found any attention-grabbing article like yours.
    It is beautiful worth enough for me. In my opinion, if all webmasters and bloggers made excellent content material as you did, the net shall be a lot more helpful than ever before.

  2. Admiring the dedication you put into your website and in depth information you
    provide. It’s great to come across a blog every once in a
    while that isn’t the same out of date rehashed material. Fantastic read!

    I’ve bookmarked your site and I’m including your RSS feeds to my Google account.

  3. Thanks , I have recently been looking for info approximately this
    subject for a long time and yours is the greatest I’ve discovered so far.

    However, what about the conclusion? Are you positive in regards to the source?

  4. With havin so much content and articles do you ever run into any problems of
    plagorism or copyright violation? My site has a lot of unique content I’ve either written myself or outsourced but it seems a lot of it is popping it up all over the web without my permission. Do you know any methods to help protect against content from being stolen? I’d definitely appreciate it.

  5. A person essentially help to make seriously posts I would state.
    This is the very first time I frequented your website
    page and thus far? I amazed with the research you made to create this particular publish extraordinary.
    Great task!

  6. I’ve been surfing online more than 2 hours today, yet I never found
    any interesting article like yours. It’s pretty worth enough for
    me. In my view, if all site owners and bloggers made good
    content as you did, the internet will be a lot more useful than ever before.

  7. Hey there this is somewhat of off topic but I was
    wondering if blogs use WYSIWYG editors or if
    you have to manually code with HTML. I’m starting a blog soon but have no coding skills so I wanted
    to get advice from someone with experience. Any
    help would be enormously appreciated!

  8. Right here is the right blog for anybody who wants to find out about this topic.
    You realize a whole lot its almost tough to argue with you (not that I
    really would want to…HaHa). You certainly put a fresh spin on a topic
    that has been written about for decades. Great stuff, just great!

  9. This is the perfect web site for everyone who hopes to understand this topic.

    You know a whole lot its almost hard to argue with you (not that I
    actually will need to…HaHa). You certainly put a fresh spin on a subject which
    has been discussed for decades. Great stuff, just wonderful!

  10. Normally I don’t learn post on blogs, but I wish to say that this write-up very
    forced me to check out and do it! Your writing styule
    has been amazed me. Thanks, quite great article.

  11. My developer is trying to persuade me to move to
    .net from PHP. I have always disliked the idea because of the
    costs. But he’s tryiong none the less. I’ve been using Movable-type on numerous websites for about a year and am
    anxious about switching to another platform. I have heard fantastic things about

    Is there a way I can import all my wordpress posts into it?
    Any help would be greatly appreciated!

  12. naturally like your web-site however you need to take a look at the
    spelling on several of your posts. Several of them are rife with spelling problems and I find it very bothersome to inform the truth on the other hand I will certainly come again again.

  13. Unquestionably imagine that which you stated.
    Your favourite reason appeared to be at the net the simplest factor
    to take into accout of. I say to you, I definitely get irked at the same time as other folks consider concerns that they plainly do not recognize about.
    You managed to hit the nail upon the top as well as outlined out the whole thing without having side effect , other people can take a signal.
    Will likely be again to get more. Thank you

  14. My partner and I absolutely love your blog and find most of your post’s
    to be exactly I’m looking for. Does one offer guest writers to
    write content for yourself? I wouldn’t mind publishing
    a post or elaborating on a number of the subjects you write with regards to here.
    Again, awesome web log!

  15. Great weblog right here! Additionally your site rather a lot up
    fast! What host are you the use of? Can I am getting your associate hyperlink for your host?

    I desire my website loaded up as fast as yours lol

  16. Hey I know this is off topic but I was wondering if you knew
    of any widgets I could add to my blog that automatically
    tweet my newest twitter updates. I’ve been looking for a
    plug-in like this for quite some time and was hoping maybe you would have some experience with something like this.

    Please let me know if you run into anything. I truly enjoy reading your blog and I look forward to your new

  17. I do not know whether it’s just me or if everyone else experiencing problems with your site.
    It appears as though some of the written text within your posts are running off the
    screen. Can someone else please provide feedback and let me know if this is happening to them as well?
    This may be a problem with my browser because I’ve had this
    happen before. Thank you

  18. Howdy, I do think your site may be having browser compatibility problems.
    When I look at your blog in Safari, it looks fine but
    when opening in IE, it has some overlapping issues. I merely wanted to provide you with a quick heads up!
    Aside from that, great site!

  19. I seriously love your blog.. Excellent colors & theme.

    Did you build this site yourself? Please reply back
    as I’m looking to create my own site and would love to learn where
    you got this from or just what the theme is called.

    1. For Apache 1.3.9 I think your main focus should probably be on updating your Apache version, there’s much more serious issues out there if you’re running such an out dated version. Something like this instead: “Header set Set-Cookie HttpOnly;Secure” should work for older Apache versions for the HttpOnly and the Secure tags…although check this out for issues in that version of Apache:

      Again you really should try and upgrade / patch if at all possible!

Leave a Reply

Your email address will not be published. Required fields are marked *