Secure cookiesRSS

2 replies

Last post Mar 19, 2015 08:01 AM by lee_in_wv

  • Secure cookies

    Mar 18, 2015 02:31 PM|lee_in_wv|LINK

    I have an application running with PHP 5.6.6 and IIS7.5. Security scans are flagging this as being a high vulnerability:

    [-] Testing for cookies without the secure flag ...
    Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
    Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/

    Is this indeed a security concern? I have managed to configure the cookie that goes to the browser as secure and with the httponly flag.

  • Re: Secure cookies

    Mar 19, 2015 04:27 AM|Fei Han - MSFT|LINK

    Hi lee_in_wv,

    Thanks for your post.

    You could try to set secure and httponly argument in setcookie() Function.

    secure

    Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. When set to TRUE, the cookie will only be set if a secure connection exists. On the server-side, it's on the programmer to send this kind of cookie only on secure connection (e.g. with respect to $_SERVER["HTTPS"]).

    httponly

    When TRUE the cookie will be made accessible only through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. It has been suggested that this setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers), but that claim is often disputed. Added in PHP 5.2.0. TRUE or FALSE

    For more information, you could refer to those links.

    Best Regards,

    Fei Han

  • Re: Secure cookies

    Mar 19, 2015 08:01 AM|lee_in_wv|LINK

    Hello Fei,


    Thanks for the response. I should have mentioned that a secure cookie is being distributed. I do not understand the purpose of the 2 additional unsecure cookies and the potential security ramifications.

    [*] Testing for HTTPS (SSL/TLS) security headers using HTTP/1.0 ...

        [+] Testing for HTTP Strict-Transport-Security (HSTS) header ...
    Strict-Transport-Security: max-age=31536000; includeSubDomains

        [+] Testing for cookies with the secure flag ...
    Set-Cookie: PHPSESSID=l5t9r9p3s4akqg7qhiogtsma43; path=/; secure; HttpOnly

        [-] Testing for cookies without the secure flag ...
    Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
    Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/