1 Reply Latest reply on Jun 27, 2007 5:41 AM by begendoe

    SSL Cookie Not Used - Vulnerability?

      A WebInspect scan of our CF app turns up this 'non-ssl cookie' as a vulnerability. I am looking for an explanation as to why this is, or isn't, a true vulnerability. I was told by a CF expert that it is just WebInspect being too critical, however, our information security folks need more than that to OK our application. If it really is an issue, how would I go about fixing it?

      The exact message is posted below:

      File Names: • https://oit-cfmx-ace-devl.cc.nd.edu:60137/

      Summary: This policy states that any area of the website or web application that contains sensitive information or
      access to privileged functionality such as remote site administration requires that all cookies are sent via
      SSL during a SSL session. Webinspect has detected that the URL:
      https://oit-cfmx-ace-devl.cc.nd.edu:60137/ has failed this policy. If a cookie is marked secure, it will only be
      transmitted if the communications channel with the host is a secure one. Currently this means that secure
      cookies will only be sent to HTTPS (HTTP over SSL) servers. If secure is not specified, a cookie is considered
      safe to be sent in the clear over unsecured channels.

      For more information refer to the following white paper: