121doc
asked on
McAfee Vulnerability Scanner
Hello,
Im running McAfee Vulnerability Scanner on my sites.
its giving me following Vulnerability in my some sites.
1.Vulnerability Missing Secure Attribute in an Encrypted Session (SSL) Cookie
Port 443/tcp
2. Vulnerability Potentially Sensitive Information Missing Secure Attribute in an Encrypted Session (SSL) Cookie
Port 443/tcp
Im having sites build using PHP-MYSQL-APACHE.
Can any one help me out with how to fix this Vulnerability with PHP code.
Many Thanks in Advance !!!
Im running McAfee Vulnerability Scanner on my sites.
its giving me following Vulnerability in my some sites.
1.Vulnerability Missing Secure Attribute in an Encrypted Session (SSL) Cookie
Port 443/tcp
2. Vulnerability Potentially Sensitive Information Missing Secure Attribute in an Encrypted Session (SSL) Cookie
Port 443/tcp
Im having sites build using PHP-MYSQL-APACHE.
Can any one help me out with how to fix this Vulnerability with PHP code.
Many Thanks in Advance !!!
ASKER
Hi i have tried this but still its not working.
Let me give you exact message.
Path: /login.php --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=6752becc7c2bb56a 059a66c178 b0a607; path=/
I have used session_set_cookie_params( ) this function as well.
Thanks !!!
Let me give you exact message.
Path: /login.php --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=6752becc7c2bb56a
I have used session_set_cookie_params(
Thanks !!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Oops...
I have put this after session_start().
i have put before session_start() now and checking ..
Let see if its works now or not?
Thanks !!!
I have put this after session_start().
i have put before session_start() now and checking ..
Let see if its works now or not?
Thanks !!!
ASKER
Its Works !!! Nice one !!!
This might happen if a page at your https site contains any resource which should be loaded from the http site.
There are also several methods that an attacker might use, such as various kinds of inection, to force a visitors browser to make such a request.
In PHP, the sixth paramater to setcookie() should be set to true (or numeric 1) in order to set a cookie which the browser will NOT send over an unencrypted channel:
setcookie( 'my_cookie_name', 'my_cookie_value', time()+3600, '/', '.mywholedomain.com', TRUE);
similarly, if the cookie in question is a session cookie then using session_set_cookie_params(
More about these functions at php.net: http://php.net/manual-lookup.php?pattern=cookie&lang=en