Missing Secure Flag & HttpOnly Flag From SSL Cookie - OWA
Hello, I'm a bit stuck on this issue for a few days and hoping to get some help on this... We are running Exchange 2010 /w SP1 Rollup 6. Server is running great and OWA is on 443. We have two servers for Exchange. One if running the Transport and Mailbox, and the other is CAS. We use IBM for firewall / IDS and we run scheduled penatration tests. We came back with two vulnerabilities: 1) Missing HttpOnly Flag From Cookie 2) Missing Secure Flag From SSL Cookie Their solution is to: Add the HttpOnly to all cookies and Add the Secure flag to cookies sent over SSL I tried adding this line and playing with the boolean with no luck: <httpCookies httpOnlyCookies="false" requireSSL="true" domain="" /> I set this in the web.config under Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa If I turn httpOnlyCookies="true" it will break OWA Any help would be appreicated ! Thanks :)Will
February 15th, 2012 4:28pm

Hi, We do not set the cookies to HttpOnly because we require access to certain of these cookies from scripts. So we cannot change this, but we take care to use best practices and safe guards within our code to protect against cross site scripting attacks. So it is by design.Xiu Zhang TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
February 17th, 2012 3:42am

Xiu - I am having the exact same issue with vulnerability scan results. Our PCI QSA requires that we have documentation if we intend to ignore the reported vulnerability. Unfortunately, a conversational post on TechNet won't meet that documentation requirements. Can you direct me to any resources from Microsoft that describe the fact that the HTTPOnly flag isn't set and the Secure flag is missing? And also that describe the best practices and safeguards in the code for OWA to prevent against cross site scripting? Thank you - Corey
March 20th, 2012 9:42am

Hi Xiu, We also have this vulnerability and we need a fix or a supporting documents if we cannot apply a fix. I appreciate if you could give us info. Thanks!
Free Windows Admin Tool Kit Click here and download it now
April 10th, 2012 8:13pm

I am having the exact same issue with vulnerability scan results. Our PCI QSA requires that we have documentation if we intend to ignore the reported vulnerability. Can you direct me to any resources from Microsoft that describe the fact that the HTTPOnly flag isn't set and the Secure flag is missing? And also that describe the best practices and safeguards in the code for OWA to prevent against cross site scripting?
June 5th, 2012 2:33am

We could benefit from this information, as well. One of our customers had a 3rd-party security audit conducted, and they cited the fact that our web application does not use secure cookies as a potential vulnerability. They asked us to "fix" this by setting the following entry in the web.config file: <httpCookies requireSSL="true" />.
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2012 9:23am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics