UCF STIG Viewer Logo

The application must set the secure flag on session cookies.


Overview

Finding ID Version Rule ID IA Controls Severity
V-70203 APSC-DV-002220 SV-84825r1_rule Medium
Description
Many web development frameworks such as PHP, .NET, ASP as well as application servers include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided session management framework. Setting the secure bit on session cookie ensures the session cookie is only sent via TLS/SSL HTTPS connections. This helps to ensure confidentiality as the session cookie is not able to be viewed by unauthorized parties as it transits the network. Setting the secure flag on all cookies may also be warranted depending upon application design but at a minimum, the session cookie must always be secured.
STIG Date
Application Security and Development Security Technical Implementation Guide 2018-04-03

Details

Check Text ( C-70679r1_chk )
Review the application documentation and interview the application administrator to identify when session cookies are created.

If vulnerability scan results are available, reference the most recent vulnerability scan results.

Verify that the scan configuration includes checks for the secure flag on session cookies. If scan configuration settings are not available, follow the manual procedure provided below.

Review the scan results and determine if the secure flag not being set was identified as a vulnerability.

To manually perform the check, open a web browser, logon to the web application and use the web browser to view the new session cookie.

The procedures used for viewing and clearing browser cookies will vary based upon the web browser used. Providing steps for every browser is outside the scope of the STIG. There are numerous sites that document how to view cookies using various web browsers.

For IE11:
Alt-X >> Internet options >> General >> Settings >> View Files

A windows explorer box will open that contains the contents of the Temporary Internet Files. Browse the folder and locate the application session cookie(s). View the contents of the cookie(s).

If the "secure" flag is not set on the session cookie, or if the vulnerability scan results indicate the application does not set the secure flag on cookies, this is a finding.
Fix Text (F-76439r1_fix)
Configure the application to ensure the secure flag is set on session cookies.