Solved

McAfee Vulnerability Scanner

Posted on 2009-05-05
5
2,028 Views
Last Modified: 2012-05-06
Hello,

Im running McAfee Vulnerability Scanner on my sites.

its giving me following Vulnerability in my some sites.

1.Vulnerability         Missing Secure Attribute in an Encrypted Session (SSL) Cookie
    Port                 443/tcp

2. Vulnerability       Potentially Sensitive Information Missing Secure Attribute in an Encrypted Session (SSL) Cookie
Port                             443/tcp

Im having sites build using PHP-MYSQL-APACHE.

Can any one help me out with how to fix this Vulnerability with PHP code.

Many Thanks in Advance !!!
0
Comment
Question by:121doc
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:jahboite
ID: 24303439
This pair of vulnerabilities is due to the fact that a visitor browsing to your https site can be forced to send their cookie over the unencrypted http channel because the cookie doesn't have the secure flag set.  If the visitors browser is made to send an http request for the same domain using the plain http protocol then the cookie is sent over an unencrypted link and thus there is the possibility of revealing sensitive information stored in the cookie - (not that sensitive information should be stored in a cookie, but session IDs are an example).
This might happen if a page at your https site contains any resource which should be loaded from the http site.
There are also several methods that an attacker might use, such as various kinds of inection, to force a visitors browser to make such a request.

In PHP, the sixth paramater to setcookie() should be set to true (or numeric 1) in order to set a cookie which the browser will NOT send over an unencrypted channel:

setcookie( 'my_cookie_name', 'my_cookie_value', time()+3600, '/', '.mywholedomain.com', TRUE);

similarly, if the cookie in question is a session cookie then using session_set_cookie_params() to enforce the secure flag is the way forward.

More about these functions at php.net: http://php.net/manual-lookup.php?pattern=cookie&lang=en


0
 

Author Comment

by:121doc
ID: 24440409
Hi i have tried this but still its not working.

Let me give you exact message.

Path: /login.php --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=6752becc7c2bb56a059a66c178b0a607; path=/

I have used session_set_cookie_params()  this function as well.

Thanks !!!
0
 
LVL 12

Accepted Solution

by:
jahboite earned 500 total points
ID: 24440664
Would you mind posting the snippet of code that handles the session cookie paramaters so that we can get a better idea of why it might not be working.

From the php manual, it says about the session_set_cookie_params() function:
"The effect of this function only lasts for the duration of the script. Thus, you need to call session_set_cookie_params() for every request and before session_start() is called."

You could also try:

ini_set('cookie.secure', 1)

in each script called.

You could also try adding a php_value directive in an .htaccess file:

php_value  cookie.secure  1
0
 

Author Comment

by:121doc
ID: 24440764
Oops...

I have put this after session_start().

i have put before session_start()  now and checking ..

Let see if its works now or not?

Thanks !!!
0
 

Author Closing Comment

by:121doc
ID: 31577925
Its Works !!! Nice one !!!
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
This video teaches users how to migrate an existing Wordpress website to a new domain.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question