Appscan:The Secure Attribute is Missing in the Encrypted Session (SSL) Cookie

The Secure Attribute is Missing in the Encrypted Session (SSL) Cookie

　　Recently, Appscan has scanned a vulnerability. The Secure attribute is missing in the encrypted session (SSL) cookie, which has been fixed. The summary is as follows:

1.1, attack principle

Any information such as cookies, session tokens, or user credentials sent to the server in clear text may be stolen and later used for identity theft or user disguise. In addition, several privacy regulations point out that user credentials and other information are sensitive Information must always be sent to the Web site in an encrypted manner.

1.2, repair suggestions

　　 add secure attribute to cookie

1.3, fix the code example

　　1) The server is configured as HTTPS SSL

　　2) Servlet 3.0 (Java EE 6) web.xml is configured as follows:

　　<session-config>

　　 <cookie-config>

 　　 <secure>true</secure>

　　 </cookie-config>

　　</session-config>

　　3) Configure as follows in ASP.NET Web.config:

　　 <httpCookies requireSSL="true" />

　　4) Configure as follows in php.ini

　Session.cookie_secure = True

  or

　　Void session_set_cookie_params (int $lifetime [, string $path [, string $domain

                                  [, bool $secure= false [, bool $httponly= false ]]]])

  or

　　Bool setcookie (string $name [, string $value [, int $expire = 0 [, string $path

                 [, string $domain [, bool $secure= false [, bool $httponly= false ]]]]]])

　　5) Configure as follows in weblogic:

　　<wls:session-descriptor>

    　　<wls:cookie-secure>true</wls:cookie-secure>

     　　<wls:cookie-http-only>true</wls:cookie-http-only>

 　　</wls:session-descriptor>

1.4, the actual repair plan

　　Solution 1: The project uses the WebShpere server, this can be set in the server:

　　 In fact, this repair method is the same as 5.2 repair suggestion 2) adding configuration to web.xml. Both of these repair methods can definitely be scanned by Appscan, but the 19 environment needs to support both https and http protocols. The above two solutions will cause the cookies under the http protocol to not be transmitted, resulting in the part under the http protocol The function cannot be used. For the time being, this scheme has been scanned at the expense of not using the functions under the http protocol.

 example2:

　　 If the cookie is configured with the secure attribute, then the cookie can be transmitted in the https protocol, but not in the http protocol. In the actual system application, two protocols must be supported. Here you can get which protocol is through request.getScheme() (this way https protocol is also http, strange, you can judge whether it is https protocol in the following way)

　　String url = req.getHeader("Referer");

　　If(url.startsWith("https")){}

　　 Then judge whether to add this attribute: cookie.setSecure(true).

　　 With this scheme, you can only set the cookies that your own code responds later, but not the cookies that the container automatically responds to. Therefore it is not used here.