A WebInspect scan of our CF app turns up this 'non-ssl
cookie' as a vulnerability. I am looking for an explanation as to
why this is, or isn't, a true vulnerability. I was told by a CF
expert that it is just WebInspect being too critical, however, our
information security folks need more than that to OK our
application. If it really is an issue, how would I go about fixing
it?
The exact message is posted below:
File Names: •
https://oit-cfmx-ace-devl.cc.nd.edu:60137/
Summary: This policy states that any area of the website or
web application that contains sensitive information or
access to privileged functionality such as remote site
administration requires that all cookies are sent via
SSL during a SSL session. Webinspect has detected that the
URL:
https://oit-cfmx-ace-devl.cc.nd.edu:60137/ has failed this
policy. If a cookie is marked secure, it will only be
transmitted if the communications channel with the host is a
secure one. Currently this means that secure
cookies will only be sent to HTTPS (HTTP over SSL) servers.
If secure is not specified, a cookie is considered
safe to be sent in the clear over unsecured channels.
For more information refer to the following white paper:
http://wp.netscape.com/newsref/std/cookie_spec.html