« OllyDbg Version 2.0 - Beta 1 Released | Main | Top 5 cybersecurity news stories of 2008 »

Fixing Both Missing HTTPOnly and Secure Cookie Flags with modsecurity

Ryan Barnett has posted an entry on identifying sessions lacking HTTPOnly and secure cookie flags on modsecurity.

"In a previous post I showed how you can use both ModSecurity and Apache together to identify/modify SessionIDs that are missing the HTTPOnly flag.  I received some feedback where people were asking how to accomplish the same thing but for the "Secure" cookie flag which instructs the browser to *only* send the SessionID back over an SSL connection. 

If you are only interested in addressing the missing "Secure" cookie flag, then you can simply take the example from the previous post and edit it slightly to swap out "httponly" with "secure".  If, however, you want to try and address both of these issues together, then you will need to change the rule set approach a bit so that it works correctly.  This is because there are now three different scenarios you have to account for -

  • Missing HTTPOnly flag
  • Missing Secure flag (if the SessionID is being sent over an SSL connection)
  • Missing both HTTPOnly and Secure flags"

Read more: http://blog.modsecurity.org/2008/12/fixing-both-missing-httponly-and-secure-cookie-flags.html


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!