0

After adding the following tag in web.config

<httpCookies requireSSL="true" />

I am getting "Set-Cookie:Secure" in every response header. But I can see there are duplicate "Set-Cookie" attributes in the headers as below IBM AppScan

IBM AppScan is raising an exception - Missing Secure Attribute in Encrypted Session (SSL) Cookie. I have gone through this question and RFC 6265 but I am not clear if a response header can have another "Set-Cookie" attribute for secure flag.

Community
  • 1
  • 1
Sachin Pakale
  • 292
  • 2
  • 4
  • 19
  • 1
    You can have multiple `Set-Cookie` response headers - but each one sets an individual, complete cookie. The information for _one_ cookie can not be split across multiple such headers. What your screenshot shows, is two cookies being set - the session cookie, and then one with the name `Secure` only, and no additional info such as value, path, expiry ... – CBroe Oct 05 '17 at 10:01
  • Thanks for your explanation @CBroe – Sachin Pakale Oct 06 '17 at 12:54

0 Answers0