Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

McAfee Vulnerability Scanner

Posted on 2009-05-05
5
Medium Priority
?
2,049 Views
Last Modified: 2012-05-06
Hello,

Im running McAfee Vulnerability Scanner on my sites.

its giving me following Vulnerability in my some sites.

1.Vulnerability         Missing Secure Attribute in an Encrypted Session (SSL) Cookie
    Port                 443/tcp

2. Vulnerability       Potentially Sensitive Information Missing Secure Attribute in an Encrypted Session (SSL) Cookie
Port                             443/tcp

Im having sites build using PHP-MYSQL-APACHE.

Can any one help me out with how to fix this Vulnerability with PHP code.

Many Thanks in Advance !!!
0
Comment
Question by:121doc
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:jahboite
ID: 24303439
This pair of vulnerabilities is due to the fact that a visitor browsing to your https site can be forced to send their cookie over the unencrypted http channel because the cookie doesn't have the secure flag set.  If the visitors browser is made to send an http request for the same domain using the plain http protocol then the cookie is sent over an unencrypted link and thus there is the possibility of revealing sensitive information stored in the cookie - (not that sensitive information should be stored in a cookie, but session IDs are an example).
This might happen if a page at your https site contains any resource which should be loaded from the http site.
There are also several methods that an attacker might use, such as various kinds of inection, to force a visitors browser to make such a request.

In PHP, the sixth paramater to setcookie() should be set to true (or numeric 1) in order to set a cookie which the browser will NOT send over an unencrypted channel:

setcookie( 'my_cookie_name', 'my_cookie_value', time()+3600, '/', '.mywholedomain.com', TRUE);

similarly, if the cookie in question is a session cookie then using session_set_cookie_params() to enforce the secure flag is the way forward.

More about these functions at php.net: http://php.net/manual-lookup.php?pattern=cookie&lang=en


0
 

Author Comment

by:121doc
ID: 24440409
Hi i have tried this but still its not working.

Let me give you exact message.

Path: /login.php --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=6752becc7c2bb56a059a66c178b0a607; path=/

I have used session_set_cookie_params()  this function as well.

Thanks !!!
0
 
LVL 12

Accepted Solution

by:
jahboite earned 2000 total points
ID: 24440664
Would you mind posting the snippet of code that handles the session cookie paramaters so that we can get a better idea of why it might not be working.

From the php manual, it says about the session_set_cookie_params() function:
"The effect of this function only lasts for the duration of the script. Thus, you need to call session_set_cookie_params() for every request and before session_start() is called."

You could also try:

ini_set('cookie.secure', 1)

in each script called.

You could also try adding a php_value directive in an .htaccess file:

php_value  cookie.secure  1
0
 

Author Comment

by:121doc
ID: 24440764
Oops...

I have put this after session_start().

i have put before session_start()  now and checking ..

Let see if its works now or not?

Thanks !!!
0
 

Author Closing Comment

by:121doc
ID: 31577925
Its Works !!! Nice one !!!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Without even knowing it, most of us are using web applications on a daily basis.  In fact, Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We generally confuse these web applications to…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question