In a security scan result, I received the following error:
"Missing Secure Attribute in Encrypted Session (SSL) Cookie" for WL_PERSISTENT_COOKIE and testcookie.
I don't know how to set the secure attribute for these cookies, from the websphere server it just allows me to set the secure attribute for the JSESSIONID cookie but not for the others.
Here are my conclusions from my appscan results:
testcookie
: This cookie seems to be generated in the worklight.js file. According to the appscan, the application sends a request to the server (GET /ParkingApp/apps/services/preview/SmarterParking/common/0/default/worklight/worklight.js HTTP/1.1
) and the server responds with this file, which has the following code fragment:areCookiesEnabled : function() { var enabled = true; if (WL.EnvProfile.isEnabled(WL.EPField.WEB)) { var date = new Date(); date.setTime(date.getTime() + (24 * 60 * 60 * 1000)); document.cookie = "testcookie=oreo; expires=" + date.toGMTString() + "; path=/"; var cookie = getCookie('testcookie'); enabled = (cookie.value === 'oreo'); } return enabled; }
So I understand that the cookie is set in this file as the subsequent requests and responses exchange the testcookie.
How can I edit this file as it seems a predefined file in worklight? Would it be a good practice to edit this file so that I modify that line to include the secure attribute?
WL_PERSISTENT_COOKIE
: With this cookie I'm a little bit stuck, the worklight server looks for this cookie in the request and in case it is not found it sends it back to the client in a set-cookie header. Actually, this is what I'm seeing in the security scan, however the server doesn't set this cookie to have the secure attribute and I don't find the option in the websphere server settings. How could I set the persistent cookie to have the secure attribute?
Thank you very much in advance!