Solved

McAfee Vulnerability Scanner

Posted on 2009-05-05
5
2,027 Views
Last Modified: 2012-05-06
Hello,

Im running McAfee Vulnerability Scanner on my sites.

its giving me following Vulnerability in my some sites.

1.Vulnerability         Missing Secure Attribute in an Encrypted Session (SSL) Cookie
    Port                 443/tcp

2. Vulnerability       Potentially Sensitive Information Missing Secure Attribute in an Encrypted Session (SSL) Cookie
Port                             443/tcp

Im having sites build using PHP-MYSQL-APACHE.

Can any one help me out with how to fix this Vulnerability with PHP code.

Many Thanks in Advance !!!
0
Comment
Question by:121doc
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:jahboite
ID: 24303439
This pair of vulnerabilities is due to the fact that a visitor browsing to your https site can be forced to send their cookie over the unencrypted http channel because the cookie doesn't have the secure flag set.  If the visitors browser is made to send an http request for the same domain using the plain http protocol then the cookie is sent over an unencrypted link and thus there is the possibility of revealing sensitive information stored in the cookie - (not that sensitive information should be stored in a cookie, but session IDs are an example).
This might happen if a page at your https site contains any resource which should be loaded from the http site.
There are also several methods that an attacker might use, such as various kinds of inection, to force a visitors browser to make such a request.

In PHP, the sixth paramater to setcookie() should be set to true (or numeric 1) in order to set a cookie which the browser will NOT send over an unencrypted channel:

setcookie( 'my_cookie_name', 'my_cookie_value', time()+3600, '/', '.mywholedomain.com', TRUE);

similarly, if the cookie in question is a session cookie then using session_set_cookie_params() to enforce the secure flag is the way forward.

More about these functions at php.net: http://php.net/manual-lookup.php?pattern=cookie&lang=en


0
 

Author Comment

by:121doc
ID: 24440409
Hi i have tried this but still its not working.

Let me give you exact message.

Path: /login.php --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=6752becc7c2bb56a059a66c178b0a607; path=/

I have used session_set_cookie_params()  this function as well.

Thanks !!!
0
 
LVL 12

Accepted Solution

by:
jahboite earned 500 total points
ID: 24440664
Would you mind posting the snippet of code that handles the session cookie paramaters so that we can get a better idea of why it might not be working.

From the php manual, it says about the session_set_cookie_params() function:
"The effect of this function only lasts for the duration of the script. Thus, you need to call session_set_cookie_params() for every request and before session_start() is called."

You could also try:

ini_set('cookie.secure', 1)

in each script called.

You could also try adding a php_value directive in an .htaccess file:

php_value  cookie.secure  1
0
 

Author Comment

by:121doc
ID: 24440764
Oops...

I have put this after session_start().

i have put before session_start()  now and checking ..

Let see if its works now or not?

Thanks !!!
0
 

Author Closing Comment

by:121doc
ID: 31577925
Its Works !!! Nice one !!!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now