Bug #10275
closedCVE-2015-3155 - The _session_id cookie is issued without the Secure flag
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1215622
Description of problem:
Strategic customer has run penetration test as part of preparation for PCI-DSS audit.
One of issues found is next one:
==============================================
SSL Cookie Without Secure Flag Set
Risk: Medium
Abstract
If the secure flag is set on a cookie, then browser will not submit the cookie in any request
that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially
intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the
cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's
scope. An attacker may be able to induce this event by feeding a user suitable link, either
directly or via another web site.
Specific Findings
In Red Hat Satellite 6, the _session_id cookie is set without the Secure flag:
_session_id=; path=/; HttpOnly
Remedy
The secure flag should be set on all cookies that are used for transmitting sensitive data when
accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the
application that are accessed over HTTPS should employ their own session handling
mechanism, and the session tokens used should never be transmitted over unencrypted
communications.