Ryan Barnett has posted an entry on identifying sessions lacking HTTPOnly and secure cookie flags on modsecurity.
"In a previous post
I showed how you can use both ModSecurity and Apache together
to identify/modify SessionIDs that are missing the HTTPOnly flag. I
received some feedback where people were asking how to accomplish the
same thing but for the "Secure" cookie flag which instructs the browser
to *only* send the SessionID back over an SSL connection.
If you are only interested in addressing the missing "Secure" cookie
flag, then you can simply take the example from the previous post and
edit it slightly to swap out "httponly" with "secure". If, however,
you want to try and address both of these issues together, then you
will need to change the rule set approach a bit so that it works
correctly. This is because there are now three different scenarios you
have to account for –
- Missing HTTPOnly flag
- Missing Secure flag (if the SessionID is being sent over an SSL connection)
- Missing both HTTPOnly and Secure flags"
Read more: http://blog.modsecurity.org/2008/12/fixing-both-missing-httponly-and-secure-cookie-flags.html
