Question

Security issues after Pen test - SSL Cookie without security flag set

Recently we installed AES in test server and it undergone pen test. There is one finding related to SSL cookie. Please find below problem decription

Problem Description : The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

I followed link https://pdn.pega.com/support-articles/how-add-secure-and-httponly-attributes-cookie and found that settings <env name="HTTP/SetSecureCookie" value="true" that solved issue in other version of pega. Kindly we can go for same fix in Pega 7.3.0?

Please advise.

***Edited by Moderator Marissa to update categories, update group tags***

**Moderation Team has archived post**

This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.

Comments

Keep up to date on this post and subscribe to comments

Pega
January 29, 2018 - 8:32am

yes; platform 73 supports setting cookies as secure

btw - if this is a new AES 73 installation, I suggest you use the latest platform version - 7.3.1