Question

Unsecure cookies after setting requireSSL flag

1

When scanning an app on web-vulnerabilities, the following vulnerability message appears: "Session cookie without secure flag set" This involves the cookies XASESSIONID and XASIS. The attempt to fix this by setting the secure flag in the web.config (<httpcookies requiressl="true"/>) on IIS failed, the vulnerability still exists. Anyone has an idea how to resolve this?

asked 2014-02-20

Thijs Schoemaker

2 answers

Benny van Reeven · Answer 1 · 2014-02-21

The Mendix runtime itself does not know whether you are using SSL, because that is handled by the front-facing web server (IIS or Nginx). In order to get secure cookies from the runtime, you have to configure the front-facing web server to add the 'X-Forwarded-Scheme' HTTP header to all requests forwarded to the runtime. The value of the header should be 'https'.

Edit: I didn't see your comment on Chris's answer until after I answered. This is indeed part of the security checklist documented here. If you correctly configure the reverse proxy to add the 'X-Forwarded-Scheme' header to all requests forwarded to the Mendix runtime, the runtime should send secure cookies.

Chris de Gelder · Answer 2 · 2014-02-20

will this help?