How to set SSL for cookies ?

[smarttux]

Hi,

Scanalert found the following two vulnerabilities with my CRM installation:

1. Missing Secure Attribute in an Encrypted Session (SSL) Cookie

Description
The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack.


General Solution
It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them.


2. Potentially Sensitive Information Missing Secure Attribute in an Encrypted Session (SSL) Cookie.

Description
The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack. The information that was sent was flagged as being potentially sensitive. Potentially sensitive information could be session tokens, user id's, or passwords.


General Solution
It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them. Speak with your web developer to have them enable the secure attribute on cookies sent over secure connections.


Can someone help me set SSL for the cookies ?

Thank you!

[eNick]

Yup, in php.ini, find the commented out line...

;session.cookie_secure =

and change it to....

session.cookie_secure = 1

As the comment says...

; This option enables administrators to make their users invulnerable to
; attacks which involve passing session ids in URLs; defaults to 0.

Sessions won't work at all unless you're over https. You'll need to bounce your webserver to pick up the change (at least you do with apache).

You should probably make your htaccess force redirects from http to https too if you're not already.

[lilia gephardt]

Hello everyone! Thanks Nick for the cookies setup code. SSL has been giving me headaches.
Lilia Gephardt - SSL affiliate