when session cookie not marked as secure, and transmitted over HTTPS. This means the cookie could be stolen by attacker who can successfully intercept the traffic.
This cookie will be transmitted over a HTTP connection, therefore an attacker might intercept it and hijack the session.
If the attacker can carry out a attack, the he can force the user to make an HTTP request to your website in order to steal the cookie.
So you should mark all cookies used within the application as secure.
htaccess rule -
Header set Set-Cookie Secure
Similary, rule for web.config -
<rule name="Add Secure">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
<conditions>
<add input="{R:0}" pattern="; Secure" negate="true" />
</conditions>
<action type="Rewrite" value="{R:0}; Secure" />
</rule>
No comments:
Post a Comment