PHP
--
Questions
--
Followers
Top Experts
McAfee Vulnerability Scanner
Hello,
Im running McAfee Vulnerability Scanner on my sites.
its giving me following Vulnerability in my some sites.
1.Vulnerability Missing Secure Attribute in an Encrypted Session (SSL) Cookie
Port 443/tcp
2. Vulnerability Potentially Sensitive Information Missing Secure Attribute in an Encrypted Session (SSL) Cookie
Port 443/tcp
Im having sites build using PHP-MYSQL-APACHE.
Can any one help me out with how to fix this Vulnerability with PHP code.
Many Thanks in Advance !!!
Im running McAfee Vulnerability Scanner on my sites.
its giving me following Vulnerability in my some sites.
1.Vulnerability Missing Secure Attribute in an Encrypted Session (SSL) Cookie
Port 443/tcp
2. Vulnerability Potentially Sensitive Information Missing Secure Attribute in an Encrypted Session (SSL) Cookie
Port 443/tcp
Im having sites build using PHP-MYSQL-APACHE.
Can any one help me out with how to fix this Vulnerability with PHP code.
Many Thanks in Advance !!!
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
This pair of vulnerabilities is due to the fact that a visitor browsing to your https site can be forced to send their cookie over the unencrypted http channel because the cookie doesn't have the secure flag set. If the visitors browser is made to send an http request for the same domain using the plain http protocol then the cookie is sent over an unencrypted link and thus there is the possibility of revealing sensitive information stored in the cookie - (not that sensitive information should be stored in a cookie, but session IDs are an example).
This might happen if a page at your https site contains any resource which should be loaded from the http site.
There are also several methods that an attacker might use, such as various kinds of inection, to force a visitors browser to make such a request.
In PHP, the sixth paramater to setcookie() should be set to true (or numeric 1) in order to set a cookie which the browser will NOT send over an unencrypted channel:
setcookie( 'my_cookie_name', 'my_cookie_value', time()+3600, '/', '.mywholedomain.com', TRUE);
similarly, if the cookie in question is a session cookie then using session_set_cookie_params(
More about these functions at php.net: http://php.net/manual-lookup.php?pattern=cookie&lang=en
This might happen if a page at your https site contains any resource which should be loaded from the http site.
There are also several methods that an attacker might use, such as various kinds of inection, to force a visitors browser to make such a request.
In PHP, the sixth paramater to setcookie() should be set to true (or numeric 1) in order to set a cookie which the browser will NOT send over an unencrypted channel:
setcookie( 'my_cookie_name', 'my_cookie_value', time()+3600, '/', '.mywholedomain.com', TRUE);
similarly, if the cookie in question is a session cookie then using session_set_cookie_params(
More about these functions at php.net: http://php.net/manual-lookup.php?pattern=cookie&lang=en
Hi i have tried this but still its not working.
Let me give you exact message.
Path: /login.php --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=6752becc7c2bb56a
I have used session_set_cookie_params(
Thanks !!!
Let me give you exact message.
Path: /login.php --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=6752becc7c2bb56a
I have used session_set_cookie_params(
Thanks !!!
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Oops...
I have put this after session_start().
i have put before session_start() now and checking ..
Let see if its works now or not?
Thanks !!!
I have put this after session_start().
i have put before session_start() now and checking ..
Let see if its works now or not?
Thanks !!!
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Its Works !!! Nice one !!!
PHP
--
Questions
--
Followers
Top Experts
PHP is a widely-used server-side scripting language especially suited for web development, powering tens of millions of sites from Facebook to personal WordPress blogs. PHP is often paired with the MySQL relational database, but includes support for most other mainstream databases. By utilizing different Server APIs, PHP can work on many different web servers as a server-side scripting language.