Skip to main content

Secure cookie flag

I have noticed that there is a vulnerability which comes up in results of many penetration tests: “The application doesn’t user secure cookie flag”.

Penetration testers generally mark this vulnerability as “Severity Low” but it doesn’t mean that you should ignore it. It has an important role for protecting your data. The best part of it is that it is very easy to fix it!

First things first, what is secure cookie flag? 

What is secure cookie flag?

When cookies are sent in clear text as part of HTTP requests, unauthorized parties can access to their content by intercepting the request (also called as man-in-the-middle attack).

Accessing to a cookie’s content may result in unauthorized access to users’ personal information and other sensitive data such as authentication tokens that are used to login web applications.

Secure cookie flag is basically a parameter that forces applications to use secure cookies so that browser and web server transfer cookies only through secure (HTTPS) connection. Therefore, unauthorized parties cannot see the cookie content. Microsoft recommends configuring web applications to force using secure cookies.

Having a problem with ASP.NET session IDs? Check this post out.

How to fix it?

In order to force an ASP.NET application to enable using secure cookies, add the following line into the section of the web.config file:

<httpCookies requireSSL="true"/>

If you are using Forms Authentication, make sure to include “requireSSL” attribute in section. For example:

<system.web>
    <authentication mode="Forms">
        <forms requireSSL="true">
            <!-- forms content -->
        </forms>
    </authentication>
</system.web>

Confirm the fix

In order to confirm the secure flag in a cookie, use an intercepting proxy such as F12 Developer Tools in browser or a third-party tool such as Fiddler. Check the response headers to see if the “secure” word is there.

Secure cookie flag is displayed
Cookie is secured

As you see in the screenshot below, “test” cookie is “secure”. Therefore, it will show up only in HTTPS connections.

References

One thought to “Secure cookie flag”

Leave a Reply

Your email address will not be published. Required fields are marked *