Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

McAfee Vulnerability Scanner

Posted on 2009-05-05
5
Medium Priority
?
2,045 Views
Last Modified: 2012-05-06
Hello,

Im running McAfee Vulnerability Scanner on my sites.

its giving me following Vulnerability in my some sites.

1.Vulnerability         Missing Secure Attribute in an Encrypted Session (SSL) Cookie
    Port                 443/tcp

2. Vulnerability       Potentially Sensitive Information Missing Secure Attribute in an Encrypted Session (SSL) Cookie
Port                             443/tcp

Im having sites build using PHP-MYSQL-APACHE.

Can any one help me out with how to fix this Vulnerability with PHP code.

Many Thanks in Advance !!!
0
Comment
Question by:121doc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:jahboite
ID: 24303439
This pair of vulnerabilities is due to the fact that a visitor browsing to your https site can be forced to send their cookie over the unencrypted http channel because the cookie doesn't have the secure flag set.  If the visitors browser is made to send an http request for the same domain using the plain http protocol then the cookie is sent over an unencrypted link and thus there is the possibility of revealing sensitive information stored in the cookie - (not that sensitive information should be stored in a cookie, but session IDs are an example).
This might happen if a page at your https site contains any resource which should be loaded from the http site.
There are also several methods that an attacker might use, such as various kinds of inection, to force a visitors browser to make such a request.

In PHP, the sixth paramater to setcookie() should be set to true (or numeric 1) in order to set a cookie which the browser will NOT send over an unencrypted channel:

setcookie( 'my_cookie_name', 'my_cookie_value', time()+3600, '/', '.mywholedomain.com', TRUE);

similarly, if the cookie in question is a session cookie then using session_set_cookie_params() to enforce the secure flag is the way forward.

More about these functions at php.net: http://php.net/manual-lookup.php?pattern=cookie&lang=en


0
 

Author Comment

by:121doc
ID: 24440409
Hi i have tried this but still its not working.

Let me give you exact message.

Path: /login.php --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=6752becc7c2bb56a059a66c178b0a607; path=/

I have used session_set_cookie_params()  this function as well.

Thanks !!!
0
 
LVL 12

Accepted Solution

by:
jahboite earned 2000 total points
ID: 24440664
Would you mind posting the snippet of code that handles the session cookie paramaters so that we can get a better idea of why it might not be working.

From the php manual, it says about the session_set_cookie_params() function:
"The effect of this function only lasts for the duration of the script. Thus, you need to call session_set_cookie_params() for every request and before session_start() is called."

You could also try:

ini_set('cookie.secure', 1)

in each script called.

You could also try adding a php_value directive in an .htaccess file:

php_value  cookie.secure  1
0
 

Author Comment

by:121doc
ID: 24440764
Oops...

I have put this after session_start().

i have put before session_start()  now and checking ..

Let see if its works now or not?

Thanks !!!
0
 

Author Closing Comment

by:121doc
ID: 31577925
Its Works !!! Nice one !!!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
While opting for any web-to-print solution, you need to discuss with your team and some of your end users and know their opinions about your decisions. In this article we list down some questions you need to ask yourself.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question