"Missing Secure Attribute SSL Cookie Information Disclosure Vulnerability"

Hi,

I need some help on a security issue.

I had did the first security audit on a new web application which use Vaadin (and which is still in development state). I have used the OpenVAS Scanner to check if there are some security holes on the test server. On this server the web application is only available over SSL (https). In front of the Web application is as a “proxy” a apache httpd installed which also adds the SSL functionality (so that the Web application runs behind apache without SSL).

One of the security issues with priority “High” found by OpenVAS is:


Missing Secure Attribute SSL Cookie Information Disclosure Vulnerability 

Overview: The host is running a server with SSL and is prone to information
  disclosure vulnerability.

  Vulnerability Insight:
  The flaw is due to SSL cookie is not using 'secure' attribute, which
  allows cookie to be passed to the server by the client over non-secure
  channels (http) and allows attacker to conduct session hijacking attacks.
  remote systems.

  Impact Level: Application

  Affected Software/OS:
  Server with SSL.

  Workaround:
  Set the 'secure' attribute for any cookies that are sent over an SSL connection.

  References:
  http://www.ietf.org/rfc/rfc2965.txt
  https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002) 

I have check the HTTP header. Vaadin adds the following cookie:


Set-Cookie: JSESSIONID=aad873d6883e2e01ccc55e26138c; Path=/; HttpOnly

Is there a way to add the “secure” attribute to the VAADIN session cookie?

Is it right that if I activate the HSTS header in apache that this is a good and secure work around for the missing “secure” attribute in the cookie?

Thanks and regards,
Steffen


EDIT:

I have now test the Vaadin session cookie without using apache httpd as proxy. So the Vaadin Web-Application is running on glassfish directly over https/SSL. But the “secure” attribute is still missing:


Cookie: JSESSIONID=aefa1d87e44367997ed475ba7c79


EDIT 2:

Comment of last edit is wrong! Glassfish sets definitivly the secure flag on Cookies for secure connections.

Well, the Session-Cookie is managed by the servlet-container and not by Vaadin itself. Some information I found regarding this topic:


White Hat Security


StackOverflow discussion about how to set HttpOnly on Tomcat, might also apply for secure

Great! Thanks. :slight_smile:

The problem is that my glassfish runs on a unsecure connection (only http). The apache httpd proxy is adding SSL. But the cookie will be generated by glassfish for a unsecure connection and so the secure flag is missing.

Short Solution: Force glassfish to set the cookie secure attribute like it’s described here: https://blogs.oracle.com/jluehe/entry/ow_to_configure_the_security

May be I could alternativly configure the apache proxy to adding the secure flag to cookies.