SSL/TLS: Missing `secure` Cookie Attribute

rapatel · June 3, 2020, 6:21pm

Running latest docker build. Our security audit reported below

Summary

The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.

Detection Result

The cookies: Set-Cookie: PHPSESSID=replaced; path=/; HttpOnly; SameSite=Lax are missing the “secure” attribute.

Insight

The flaw is due to cookie is not using ‘secure’ attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks.

Detection Method

Details: SSL/TLS: Missing secure Cookie Attribute OID: 1.3.6.1.4.1.25623.1.0.902661

Affected Software/OS

Server with SSL/TLS.

Impact

Solution

Solution Type:

Mitigation

Set the ‘secure’ attribute for any cookies that are sent over a SSL/TLS connection.

Any way to fix this issue?

dan · June 10, 2020, 9:35pm

Hi,

You can add CMS_PHP_COOKIE_SECURE=On to your config.env file to turn this on.

Having this on by default is not something we can advocate as our containers don’t provide SSL (it is not practical to do so).

system · September 10, 2020, 3:35am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.