HTTP Cookie 'secure' Property Transport Mismatch

info Nessus Plugin ID 69826

Synopsis

The remote web server sent out a cookie with a secure property that does not match the transport on which it was sent.

Description

The remote web server sends out cookies to clients with a 'secure' property that does not match the transport, HTTP or HTTPS, over which they were received. This may occur in two forms :

1. The cookie is sent over HTTP, but has the 'secure' property set, indicating that it should only be sent over a secure, encrypted transport such as HTTPS.
This should not happen.

2. The cookie is sent over HTTPS, but has no 'secure' property set, indicating that it may be sent over both HTTP and HTTPS transports. This is common, but care should be taken to ensure that the 'secure' property not being set is deliberate.

See Also

https://tools.ietf.org/html/rfc6265

Plugin Details

Severity: Info

ID: 69826

File Name: http_cookie_secure_mismatch.nasl

Version: 1.5

Type: remote

Family: CGI abuses

Published: 9/10/2013

Updated: 12/20/2021

Supported Sensors: Nessus