Results 1 to 2 of 2

Thread: 'Secure' Attribute in Remember-me cookie?

Hybrid View

  1. Aug 10th, 2009, 09:02 AM #1
    jstehler
    jstehler is offline Member
    Join Date
    Apr 2006
    Posts
    81

    Default 'Secure' Attribute in Remember-me cookie?

    A security audit was recently performed on our web application, and returned the following warning:

    Vulnerability Detail
    Device app.example.com (xx.xx.xx.xx)
    Vulnerability Missing Secure Attribute in an Encrypted Session (SSL) Cookie
    Port 443/tcp
    Scan Date 05-MAY-2009 14:29


    Other
    Path: /app/j_security_check;jsessionid=CA1082C4AC5212539D7033 B83BED3688.web1 --> No "Secure" Attribute on Secure Channel (https) : SPRING_SECURITY_REMEMBER_ME_COOKIE=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/app


    Other
    Path: /app/j_security_check --> No "Secure" Attribute on Secure Channel (https) : SPRING_SECURITY_REMEMBER_ME_COOKIE=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/app
    Should this be cause for concern? When I investigated further, I noticed that my jsessionid cookie had this 'secure' attribute set. Our entire site is accessed currently via https.
  2. Aug 10th, 2009, 11:15 AM #2
    Luke Taylor
    Luke Taylor is offline Senior Member Acegi Security System TeamSpring Team
    Join Date
    Aug 2004
    Location
    Glasgow, Scotland
    Posts
    3,449

    Default

    If you use HTTPS exclusively, then it is a good idea to set the "secure" flag on the cookie. You can do this by overriding the setCookie method on the AbstractRememberMeServices implementation you are using.

    Alternatively, disable remember-me authentication.
    Spring - by Pivotal
    twitter @tekul
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules