Setting the secure flag on cookies from Outlook Web Access
Posted
by
Cheekysoft
on Server Fault
See other posts from Server Fault
or by Cheekysoft
Published on 2012-06-26T12:39:02Z
Indexed on
2012/06/26
15:18 UTC
Read the original article
Hit count: 242
I'm running Exchange 2007 SP3 which is exposing outlook web access over only HTTPS. However the server delivers the sessionid
cookie without the secure
flag set. Even though I don't have port 80 open, this cookie is still vulnerable to being stolen over port 80 in the event of a man-in-the-middle attack. It also contributes to a PCI-DSS failure
Does anyone know if I can persuade the web server/application to set the secure flag?
© Server Fault or respective owner