Setting the secure flag on cookies from Outlook Web Access

Posted by Cheekysoft on Server Fault See other posts from Server Fault or by Cheekysoft
Published on 2012-06-26T12:39:02Z Indexed on 2012/06/26 15:18 UTC
Read the original article Hit count: 242

I'm running Exchange 2007 SP3 which is exposing outlook web access over only HTTPS. However the server delivers the sessionid cookie without the secure flag set. Even though I don't have port 80 open, this cookie is still vulnerable to being stolen over port 80 in the event of a man-in-the-middle attack. It also contributes to a PCI-DSS failure

Does anyone know if I can persuade the web server/application to set the secure flag?

© Server Fault or respective owner

Related posts about security

Related posts about exchange-2007