none
Set-Cookie Does Not Set HttpOnly Flag & Missing Secure Attribute In SSL Session Cookie - IIS 7

    Question

  • Hi All,

    Our security scan reported the below mentioned vulnerabilities for the application hosted through IIS 7 Webserver. 

    Set-Cookie Does Not Set HttpOnly Flag

    Missing Secure Attribute In SSL Session Cookie

    The IIS 7 is acting as a front end webserver.  The penetration test [ Rapid 7 ] reported the above two vulnerabilities which need to be fixed.  Can someone help on how to fix these vulnerabilities at IIS level?

    Thanks

    • Moved by Mike Laughlin Tuesday, October 6, 2015 12:06 PM From 'Forums Issues' - not reporting an issue with the forums.
    Tuesday, October 6, 2015 11:12 AM

Answers

All replies

  • This is how you can fix these Apache web server. Apply these steps in apache:

    • Ensure you have mod_headers.so enabled in apache instance.

    Add following entry in httpd.conf

    Header edit set-cookie ^(.*)$ $1;httponly;secure

    • Restart Apache web server.

    Note:  Header edit is not compatible with lower than Apache 2.2.4 version. So you can follow this to set httponly and secure flag in lower than 2.2.4 version.

    • Header set set-cookie httponly;secure

    Verify now open your site with http watch or check online.

    Tuesday, October 6, 2015 11:39 AM
  • Hi,

    The IIS forums are on a separate platform:

    http://forums.iis.net/


    Tuesday, October 6, 2015 12:07 PM