V-222576

Discussion

Many web development frameworks such as PHP, .NET, ASP as well as application servers include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided session management framework. Setting the secure bit on session cookie ensures the session cookie is only sent via TLS/SSL HTTPS connections. This helps to ensure confidentiality as the session cookie is not able to be viewed by unauthorized parties as it transits the network. Setting the secure flag on all cookies may also be warranted depending upon application design but at a minimum, the session cookie must always be secured.

Check Content

Review the application documentation and interview the application administrator to identify when session cookies are created.

If vulnerability scan results are available, reference the most recent vulnerability scan results.

Verify that the scan configuration includes checks for the secure flag on session cookies.  If scan configuration settings are not available, follow the manual procedure provided below.

Review the scan results and determine if the secure flag not being set was identified as a vulnerability.

To manually perform the check, open a web browser, logon to the web application and use the web browser to view the new session cookie.  

The procedures used for viewing and clearing browser cookies will vary based upon the web browser used.  Providing steps for every browser is outside the scope of the STIG.  There are numerous sites that document how to view cookies using various web browsers.

For IE11:
Alt-X >> Internet options >> General >> Settings >> View Files

A windows explorer box will open that contains the contents of the Temporary Internet Files.  Browse the folder and locate the application session cookie(s).  View the contents of the cookie(s).

If the "secure" flag is not set on the session cookie, or if the vulnerability scan results indicate the application does not set the secure flag on cookies, this is a finding.