Hi List

A scan of our clients site "revealed" some vulnerabilities around cookies.

It said we had:
"Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"
"Missing HttpOnly Flag From Cookie (http-cookie-http-only-flag)"

So, to turn this on, I did a couple of edits of the httpd.conf

I uncommented:
LoadModule headers_module modules/mod_headers.so

Then added the line:
Header set Set-Cookie HttpOnly;Secure

My login.lasso page, does an ajax call to a page which does this:

Session_Start(-Name = $site + 'user', -Expires=120, -UseCookie);
Session_AddVar(-Name=$site + 'user', 'sessionloginok');

On the callback page sessionloginok wasn't set.

When I removed the "Header set" - it worked again.

Does anyone know why this is happening?

Regards
Jon Harris


#############################################################

This message is sent to you because you are subscribed to
the mailing list Lasso Lasso@lists.lassosoft.com
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>