From Application Security and Development Security Technical Implementation Guide
Part of SRG-APP-000219
Associated with: CCI-001184
Many web development frameworks such as PHP, .NET, ASP as well as application servers include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided session management framework.
Review the application documentation and interview the application administrator to identify when session cookies are created. If vulnerability scan results are available, reference the most recent vulnerability scan results. Verify that the scan configuration includes checks for the secure flag on session cookies. If scan configuration settings are not available, follow the manual procedure provided below. Review the scan results and determine if the secure flag not being set was identified as a vulnerability. To manually perform the check, open a web browser, logon to the web application and use the web browser to view the new session cookie. The procedures used for viewing and clearing browser cookies will vary based upon the web browser used. Providing steps for every browser is outside the scope of the STIG. There are numerous sites that document how to view cookies using various web browsers. For IE11: Alt-X >> Internet options >> General >> Settings >> View Files A windows explorer box will open that contains the contents of the Temporary Internet Files. Browse the folder and locate the application session cookie(s). View the contents of the cookie(s). If the "secure" flag is not set on the session cookie, or if the vulnerability scan results indicate the application does not set the secure flag on cookies, this is a finding.
Configure the application to ensure the secure flag is set on session cookies.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer