Missing Secure Flag & HttpOnly Flag From SSL Cookie - OWA
Hello, I'm a bit stuck on this issue for a few days and hoping to get some help on this... We are running Exchange 2010 /w SP1 Rollup 6. Server is running great and OWA is on 443. We have two servers for Exchange. One if running the Transport and Mailbox, and the other is CAS. We use IBM for firewall / IDS and we run scheduled penatration tests. We came back with two vulnerabilities: 1) Missing HttpOnly Flag From Cookie 2) Missing Secure Flag From SSL Cookie Their solution is to: Add the HttpOnly to all cookies and Add the Secure flag to cookies sent over SSL I tried adding this line and playing with the boolean with no luck: <httpCookies httpOnlyCookies="false" requireSSL="true" domain="" /> I set this in the web.config under Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa If I turn httpOnlyCookies="true" it will break OWA Any help would be appreicated ! Thanks :)Will
February 15th, 2012 4:28pm

Xiu - I am having the exact same issue with vulnerability scan results. Our PCI QSA requires that we have documentation if we intend to ignore the reported vulnerability. Unfortunately, a conversational post on TechNet won't meet that documentation requirements. Can you direct me to any resources from Microsoft that describe the fact that the HTTPOnly flag isn't set and the Secure flag is missing? And also that describe the best practices and safeguards in the code for OWA to prevent against cross site scripting? Thank you - Corey
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2012 9:42am

Hi Xiu, We also have this vulnerability and we need a fix or a supporting documents if we cannot apply a fix. I appreciate if you could give us info. Thanks!
April 10th, 2012 8:13pm

I am having the exact same issue with vulnerability scan results. Our PCI QSA requires that we have documentation if we intend to ignore the reported vulnerability. Can you direct me to any resources from Microsoft that describe the fact that the HTTPOnly flag isn't set and the Secure flag is missing? And also that describe the best practices and safeguards in the code for OWA to prevent against cross site scripting?
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2012 2:25am

We could benefit from this information, as well. One of our customers had a 3rd-party security audit conducted, and they cited the fact that our web application does not use secure cookies as a potential vulnerability. They asked us to "fix" this by setting the following entry in the web.config file: <httpCookies requireSSL="true" />.
June 11th, 2012 9:15am

I also could use supporting documentation. Has anyone found that?
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2012 2:39pm

did you fix this issue..
August 9th, 2012 11:52am

Did you fix this vulnerability. I'm also getting this on the PCI scan result. I need to find out how to fix this.
Free Windows Admin Tool Kit Click here and download it now
August 9th, 2012 11:52am

I have not found a fix as of yet. Currently going to file for an "exception" with my Security Team and see if that will satisfy them. All traffic for the sites in question occurs across a secure internal network, so thats the angle Im playing.
August 9th, 2012 2:11pm

Did anyone ever find documentation or a workaround for this? We are trying to complete our PCI compliance and this is one of the last things we are failing on.
Free Windows Admin Tool Kit Click here and download it now
September 5th, 2012 2:25pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics