Session Cookie Found Without Secure Flag Set

When HTTP protocol is used, the traffic is sent in plaintext. It allows the attacker to see/modify the traffic (man-in-the-middle attack). HTTPS is a secure version of HTTP ? it uses SSL/TLS to protect the data of the application layer. When HTTPS is used, the following properties are achieved: authentication, data integrity.

The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.

To accomplish this goal, browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page. Said in another way, the browser will not send a cookie with the secure flag set over an unencrypted HTTP request.

By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.

Setting the Secure Flag:
Following sections describes setting the Secure Flag in respective technologies.

ASP.NET Session Cookie

There are two ways, one httpCookies element in web.config allows you to turn on ReqiresSSL which only transmit all cookies including session in ssl only and also inside forms authentication, but if you turn on ssl on httpcookies you must also turn it on inside forms configuration too.

In the <system.web> element, add the following element:
<httpCookies requireSSL="true" />

In that case, you need to add the requireSSL="true" attribute to the forms element as well.
So you will end up with:

<authentication mode="Forms">
<forms requireSSL="true">
/* forms content */ </forms>


Method #1 By using ini_set function
Add the following code on the page
1 ini_set("session.cookie_secure", 1);
Method #2 By using session_set_cookie_params function
Add the following code on the page:
1 session_set_cookie_params(0, NULL, NULL, TRUE, NULL);
Method #3 By using setcookie function
Add the following code when creating cookie:
1 setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);