IBM AppScan - Missing Secure Attribute in Encrypted Session (SSL) Cookie

Question

We have got an Missing Secure Attribute in Encrypted Session (SSL) Cookie issue for primefaces.download based on IBM App Scan DSAT test.

Primefaces version is 7.0

Sample Example : https://www.primefaces.org/showcase/ui/data/dataexporter/basic.xhtml

primefaces.download -- this cookies is set when we download a file

We already have session-config in the web.xml , but when i check in chrome the primefaces.download cookie is not set as http-only and secured .

Is there anything else required to be done when running it on JBOSS 7.2?

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">

..........

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

Updated : Issue raised https://github.com/primefaces/primefaces/issues/6040

score 1 · Accepted Answer · answered Jun 17 '20 at 02:01

1

A Pull Request to fix the issue in 9.0-SNAPSHOT has been submitted.

https://github.com/primefaces/primefaces/pull/6041

answered Jun 17 '20 at 02:01

Ravi

391
2
18

IBM AppScan - Missing Secure Attribute in Encrypted Session (SSL) Cookie

1 Answers1