HTTP Cookie is missing secure attribute

book

Article ID: 132121

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE

Issue/Introduction

A vulnerability scan has found HTTP Cookie is missing the secure attribute on EM port 8080 and 8081:

HTTP Cookie missing Secure attribute on port 8080.
   Set-Cookie: WSESSIONID=node0xi0c1b58dxdyelkdrhrawrfe83130.node0;Path=/;HttpOnly GET / HTTP/1.1 Host: xxx.testCABroadcom.com:8080 Connection: Keep-Alive#
   Session cookies sent via HTTP expose users to sniffing attacks that could lead to user impersonation or account compromise.

HTTP Cookie missing Secure attribute on port 8081.
   Set-Cookie: JSESSIONID=node01ivg0spordnr3w8oofjypg72s7h228.node0;Path=/GET / HTTP/1.1 Host: xxx.testCABroadcom.com:8081 Connection: Keep-Alive# 
   Session cookies sent via HTTP expose users to sniffing attacks that could lead to user impersonation or account compromise.
 


1. By utilizing SSL communication (configuring for TLS), does this automatically add the secure attribute to the cookie, so that if HTTP clear is used, the cookie will not be sent? Or does this require that HTTP clear ports 8080 and 8081 are shut down?
2. If clear ports are still allowed, and the cookie is not sent due to the secure attribute, what data/functionality is lost?

Environment

DX APM 10.x

Resolution

You can configure secure communication in em-jetty-config.xml. In the file there are two sections: one for secure port 8444 that is active and another for unsecure port 8081 that is commented out. Those settings only work if en-jetty-config.xml is enabled in IntroscopeEnterpriseManager.properties.


Both ports https://em:8444 and http://em:8081 you have to uncomment the second section
(i.e. close the comment after “<!-- Configure non-secure http connector for the Jetty Server” with “——>”.
Same for web view.

A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. Even with Secure, sensitive information should never be stored in cookies, as they are inherently insecure and this flag can't offer real protection. Starting with Chrome 52 and Firefox 52, insecure sites (http:) can't set cookies with the Secure directive.

https://docops.ca.com/ca-apm/10-7/en/administrating/apm-security/ssl-and-tls-communications-overview

https://en.wikipedia.org/wiki/Secure_cookie