Author: MichaelCoates
Contributor(s): Andrew Smith, Gladwin, Bill Sempf, Wichers, James Jardine, Zerosum0x0, Paco, Dan Wallis, Nawwar, kingthorin, Grant Ongers
The secure attribute is an option that can be set by the application serverwhen sending a new cookie to the user within an HTTP Response. Thepurpose of the secure attribute is to prevent cookies from being observed byunauthorized parties due to the transmission of the cookie in cleartext.To accomplish this goal, browsers which support the secure attribute willonly send cookies with the secure attribute when the request is going to anHTTPS page. Said in another way, the browser will not send a cookie withthe secure attribute set over an unencrypted HTTP request.By setting the secure attribute, the browser will prevent the transmission ofa cookie over an unencrypted channel.
Following sections describes setting the Secure Attribute in respectivetechnologies.
Java
Servlet 3.0 (Java EE 6)
Sun Java EE supports secure attribute in Cookie interface since version 6(Servlet class version3)1,also for session cookies(JSESSIONID)2.Methods setSecure and isSecure can be used to set and check forsecure value in cookies.
web.xml
Servlet 3.0 (Java EE 6) introduced a standard way to configure secureattribute for the session cookie, this can be done by applying thefollowing configuration in web.xml
<session-config> <cookie-config> <secure>`true`</secure> </cookie-config></session-config>Tomcat
In Tomcat 6 if the first request for session is using https thenit automatically sets secure attribute on session cookie.
Setting it as a custom header
For older versions the workaround is to rewrite JSESSIONID valueusing and setting it as a custom header. The drawback is that serverscan be configured to use a different session identifier than JSESSIONID.
String sessionid = request.getSession().getId();response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure");
Environment consideration
With this attribute always set, sessions won’t work inenvironments(development/test/etc.) that may use http.SessionCookieConfig3interface or setting customheader4trick can be leveraged to configure setting of this attribute differently foreach environment and can be driven by application configuration.
ASP.NET
Set the following in Web.config: <httpCookies requireSSL="true" />
For some objects that have a requireSSL property, like the formsAuthentication Cookie, set the requireSSL="true" attribute in the web.configfor that specific element. For example:
<authentication mode="Forms"> <forms loginUrl="member_login.aspx" cookieless="UseCookies" `requireSSL="true"` path="/MyApplication" /></authentication>Which will enable the secure attribute on the Forms Authentication cookie, as well as checking that the http request is coming to the server over SSL/TLS connection. Note that in case TLS is offloaded to a load balancer, the requireSSL solution wouldn’t work.
Alternatively, the cookies can be set to secure programmatically using the following code by adding a EndRequest event handler to the Global.asax.cs file:
protected void Application_EndRequest(Object sender, EventArgs e) { // Iterate through any cookies found in the Response object. foreach (string cookieName in Response.Cookies.AllKeys) { Response.Cookies[cookieName]?.Secure = true; }} PHP
For session cookies managed by PHP, the attribute is set either permanentlyin php.ini PHP manual onSecureFlagthrough the parameter:
session.cookie_secure = True
or in and during a script via the function5:
void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure= false [, bool $httponly= false ]]]] )For application cookies a parameter in setcookie() sets the secure attribute6:
bool setcookie ( string $name [, string $value [, int $expire= 0 [, string $path [, string $domain [, bool $secure= false [, bool $httponly= false ]]]]]] )Go
Iris
For session cookies managed by Iris, the attribute is set through the CookieSecureTLS option:
app := iris.New()sess := sessions.New(sessions.Config{ CookieSecureTLS: true, // ...more options})app.Use(sess.Handler())For application cookies a parameter in SetCookie() sets the secure attribute:
app.Post("/", func(ctx iris.Context) { ctx.SetCookie(&http.Cookie{ Secure: true, // ...more options })})OR by CookieSecure cookie option:
ctx.SetCookieKV("name", "value", iris.CookieSecure)OR set the attribute permanently:
app := iris.New()app.Use(withCookieOptions)withCookieOptions := func(ctx iris.Context) {ctx.AddCookieOptions(iris.CookieSecure)ctx.Next()}For Single-Sign-On managed by Iris, the attribute is set through the Cookie.Secure option:
authConfig := auth.Configuration{ Cookie: auth.CookieConfiguration{ Secure: true, // ...more options }, // ...more options}Verifying that a web site sets this attribute on any particular cookie iseasy. Using an intercepting proxy, like ZAP, you cancapture each response from the server and examine any Set-Cookie headersit includes to see if the secure attribute is set on the cookie.
