Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: Missing HttpOnly Flag From Cookie/Missing Secure Flag From SSL Cookie



Permlink Replies: 5 - Last Post: Feb 19, 2018 2:42 AM Last Post By: Pramod Nair Threads: [ Previous | Next ]
Pramod Nair

Posts: 105
Registered: 5/21/06
Missing HttpOnly Flag From Cookie/Missing Secure Flag From SSL Cookie
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 4, 2018 10:01 PM
Getting two more volurability 'Missing HttpOnly Flag From Cookie' and 'Missing Secure Flag From SSL Cookie' in the penetration test.
Re 'Missing HttpOnly Flag From Cookie' - hope if we enabled the 'httponly' option in the CookiesOption of the Servercontroller to fix this issue?
Re 'Missing Secure Flag From SSL Cookie;- Want to enable the 'Secure' option in the Cookiesoption to fix this issue? If enabled and when open the site am getting the error 'cookies are disabled in you browser....'
Pramod Nair

Posts: 105
Registered: 5/21/06
Re: Missing HttpOnly Flag From Cookie/Missing Secure Flag From SSL Cookie
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 7, 2018 8:40 PM   in response to: Pramod Nair in response to: Pramod Nair
Re 'Missing HttpOnly Flag From Cookie' - hope if we enabled the 'httponly' option in the CookiesOption of the Servercontroller to fix this issue?
after i enabled httponly option , this issue got resolved in the penetration test
Re 'Missing Secure Flag From SSL Cookie;
how can resolve this volurability please?

Pramod Nair wrote:
Getting two more volurability 'Missing HttpOnly Flag From Cookie' and 'Missing Secure Flag From SSL Cookie' in the penetration test.
Re 'Missing HttpOnly Flag From Cookie' - hope if we enabled the 'httponly' option in the CookiesOption of the Servercontroller to fix this issue?
Re 'Missing Secure Flag From SSL Cookie;- Want to enable the 'Secure' option in the Cookiesoption to fix this issue? If enabled and when open the site am getting the error 'cookies are disabled in you browser....'
Alexandre Machado

Posts: 1,754
Registered: 8/10/13
Re: Missing HttpOnly Flag From Cookie/Missing Secure Flag From SSL Cookie
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 8, 2018 4:02 PM   in response to: Pramod Nair in response to: Pramod Nair
Pramod Nair wrote:
Re 'Missing HttpOnly Flag From Cookie' - hope if we enabled the 'httponly' option in the CookiesOption of the Servercontroller to fix this issue?
after i enabled httponly option , this issue got resolved in the penetration test
Re 'Missing Secure Flag From SSL Cookie;
how can resolve this volurability please?

Pramod Nair wrote:
Getting two more volurability 'Missing HttpOnly Flag From Cookie' and 'Missing Secure Flag From SSL Cookie' in the penetration test.
Re 'Missing HttpOnly Flag From Cookie' - hope if we enabled the 'httponly' option in the CookiesOption of the Servercontroller to fix this issue?
Re 'Missing Secure Flag From SSL Cookie;- Want to enable the 'Secure' option in the Cookiesoption to fix this issue? If enabled and when open the site am getting the error 'cookies are disabled in you browser....'

We are also working on that, Pramod.

The issue happens on your application because you start it as HTTP and then switch to HTTPS, correct?
Pramod Nair

Posts: 105
Registered: 5/21/06
Re: Missing HttpOnly Flag From Cookie/Missing Secure Flag From SSL Cookie
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 8, 2018 5:43 PM   in response to: Alexandre Machado in response to: Alexandre Machado
the ssl port i am passing through the ini file and which is calling in the IWServerControllerBaseCreate event

procedure TIWServerController.IWServerControllerBaseCreate(
Sender: TObject);
begin
if GlobalDataModule.bRunSSL then
SSLOptions.Port := GlobalDataModule.iSSLPort;
end;


Alexandre Machado wrote:
Pramod Nair wrote:
Re 'Missing HttpOnly Flag From Cookie' - hope if we enabled the 'httponly' option in the CookiesOption of the Servercontroller to fix this issue?
after i enabled httponly option , this issue got resolved in the penetration test
Re 'Missing Secure Flag From SSL Cookie;
how can resolve this volurability please?

Pramod Nair wrote:
Getting two more volurability 'Missing HttpOnly Flag From Cookie' and 'Missing Secure Flag From SSL Cookie' in the penetration test.
Re 'Missing HttpOnly Flag From Cookie' - hope if we enabled the 'httponly' option in the CookiesOption of the Servercontroller to fix this issue?
Re 'Missing Secure Flag From SSL Cookie;- Want to enable the 'Secure' option in the Cookiesoption to fix this issue? If enabled and when open the site am getting the error 'cookies are disabled in you browser....'

We are also working on that, Pramod.

The issue happens on your application because you start it as HTTP and then switch to HTTPS, correct?
Alexandre Machado

Posts: 1,754
Registered: 8/10/13
Re: Missing HttpOnly Flag From Cookie/Missing Secure Flag From SSL Cookie
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 18, 2018 11:32 PM   in response to: Pramod Nair in response to: Pramod Nair
Pramod Nair wrote:
the ssl port i am passing through the ini file and which is calling in the IWServerControllerBaseCreate event

procedure TIWServerController.IWServerControllerBaseCreate(
Sender: TObject);
begin
if GlobalDataModule.bRunSSL then
SSLOptions.Port := GlobalDataModule.iSSLPort;
end;

This has been resolved in our code base. Next release (which will be from 14.3.0 branch) will fix that.

I expect to release it this later this week.

Kind regards
Pramod Nair

Posts: 105
Registered: 5/21/06
Re: Missing HttpOnly Flag From Cookie/Missing Secure Flag From SSL Cookie
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 19, 2018 2:42 AM   in response to: Alexandre Machado in response to: Alexandre Machado
Thanks Alex

Alexandre Machado wrote:
Pramod Nair wrote:
the ssl port i am passing through the ini file and which is calling in the IWServerControllerBaseCreate event

procedure TIWServerController.IWServerControllerBaseCreate(
Sender: TObject);
begin
if GlobalDataModule.bRunSSL then
SSLOptions.Port := GlobalDataModule.iSSLPort;
end;

This has been resolved in our code base. Next release (which will be from 14.3.0 branch) will fix that.

I expect to release it this later this week.

Kind regards
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02