The application must set the secure flag on session cookies.

From Application Security and Development Security Technical Implementation Guide

Part of SRG-APP-000219

Associated with: CCI-001184

SV-84825r1_rule The application must set the secure flag on session cookies.

Vulnerability discussion

Many web development frameworks such as PHP, .NET, ASP as well as application servers include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided session management framework.Setting the secure bit on session cookie ensures the session cookie is only sent via TLS/SSL HTTPS connections. This helps to ensure confidentiality as the session cookie is not able to be viewed by unauthorized parties as it transits the network.Setting the secure flag on all cookies may also be warranted depending upon application design but at a minimum, the session cookie must always be secured.

Check content

Review the application documentation and interview the application administrator to identify when session cookies are created. If vulnerability scan results are available, reference the most recent vulnerability scan results. Verify that the scan configuration includes checks for the secure flag on session cookies. If scan configuration settings are not available, follow the manual procedure provided below. Review the scan results and determine if the secure flag not being set was identified as a vulnerability. To manually perform the check, open a web browser, logon to the web application and use the web browser to view the new session cookie. The procedures used for viewing and clearing browser cookies will vary based upon the web browser used. Providing steps for every browser is outside the scope of the STIG. There are numerous sites that document how to view cookies using various web browsers. For IE11: Alt-X >> Internet options >> General >> Settings >> View Files A windows explorer box will open that contains the contents of the Temporary Internet Files. Browse the folder and locate the application session cookie(s). View the contents of the cookie(s). If the "secure" flag is not set on the session cookie, or if the vulnerability scan results indicate the application does not set the secure flag on cookies, this is a finding.

Fix text

Configure the application to ensure the secure flag is set on session cookies.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer