'Secure' Attribute in Remember-me cookie?

**jstehler** · Aug 10th, 2009, 09:02 AM

A security audit was recently performed on our web application, and returned the following warning:

Vulnerability Detail
Device app.example.com (xx.xx.xx.xx)
Vulnerability Missing Secure Attribute in an Encrypted Session (SSL) Cookie
Port 443/tcp
Scan Date 05-MAY-2009 14:29

Other
Path: /app/j_security_check;jsessionid=CA1082C4AC5212539D7033 B83BED3688.web1 --> No "Secure" Attribute on Secure Channel (https) : SPRING_SECURITY_REMEMBER_ME_COOKIE=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/app

Other
Path: /app/j_security_check --> No "Secure" Attribute on Secure Channel (https) : SPRING_SECURITY_REMEMBER_ME_COOKIE=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/app

Should this be cause for concern? When I investigated further, I noticed that my jsessionid cookie had this 'secure' attribute set. Our entire site is accessed currently via https.

Thread: 'Secure' Attribute in Remember-me cookie?

Thread Tools

Display

Threaded View

'Secure' Attribute in Remember-me cookie?

Tags for this Thread

Posting Permissions