Issues » Cookies do not require SSL

Issue: SI-2
Date: Jun 6, 2011, 7:45:00 AM
Severity: Medium
Requires Admin Access: Yes
Fix Version: 2.5.7
Credit: HCA
Description:

Many security policies state that any area of the website or web application that contains sensitive information or access to privileged functionality such as remote site administration requires that all cookies are sent via SSL during an SSL session. The URL:

http://localhost/c/portal/layout?r=1359623609170

fails this policy. If a cookie is marked with the "secure" attribute, it will only be transmitted if the communications channel with the host is a secure one. Currently this means that secure cookies will only be sent to HTTPS (HTTP over SSL) servers. If secure is not specified, a cookie is considered safe to be sent in the clear over unsecured channels.  dotCMS is not specifying "secure" when setting cookies.

Mitigation:

Set your admin console to force the use of SSL for all admin sessions.  See the document "SSL: Secure Backend Login" for information as to how to do this.  This will prevent session and authentication cookies from being sent in the clear.

References
  • https://github.com/dotCMS/dotCMS/issues/3052