Announcement Announcement Module
Collapse
No announcement yet.
'Secure' Attribute in Remember-me cookie? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • 'Secure' Attribute in Remember-me cookie?

    A security audit was recently performed on our web application, and returned the following warning:

    Vulnerability Detail
    Device app.example.com (xx.xx.xx.xx)
    Vulnerability Missing Secure Attribute in an Encrypted Session (SSL) Cookie
    Port 443/tcp
    Scan Date 05-MAY-2009 14:29


    Other
    Path: /app/j_security_check;jsessionid=CA1082C4AC5212539D7033 B83BED3688.web1 --> No "Secure" Attribute on Secure Channel (https) : SPRING_SECURITY_REMEMBER_ME_COOKIE=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/app


    Other
    Path: /app/j_security_check --> No "Secure" Attribute on Secure Channel (https) : SPRING_SECURITY_REMEMBER_ME_COOKIE=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/app
    Should this be cause for concern? When I investigated further, I noticed that my jsessionid cookie had this 'secure' attribute set. Our entire site is accessed currently via https.

  • #2
    If you use HTTPS exclusively, then it is a good idea to set the "secure" flag on the cookie. You can do this by overriding the setCookie method on the AbstractRememberMeServices implementation you are using.

    Alternatively, disable remember-me authentication.

    Comment

    Working...
    X