Reputation: 401
IBM AppScan - Missing Secure Attribute in Encrypted Session (SSL) Cookie
We have got an Missing Secure Attribute in Encrypted Session (SSL) Cookie issue for primefaces.download based on IBM App Scan DSAT test.
Primefaces version is 7.0
Sample Example : https://www.primefaces.org/showcase/ui/data/dataexporter/basic.xhtml
primefaces.download -- this cookies is set when we download a file
We already have session-config in the web.xml , but when i check in chrome the primefaces.download cookie is not set as http-only and secured .
Is there anything else required to be done when running it on JBOSS 7.2?
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
..........
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Updated : Issue raised https://github.com/primefaces/primefaces/issues/6040
Upvotes: 4
Views: 865
Answers (1)
Reputation: 401
A Pull Request to fix the issue in 9.0-SNAPSHOT has been submitted.
https://github.com/primefaces/primefaces/pull/6041
Upvotes: 1
Related Questions
- Appscan Validation.Required issue in java
- Set Cookies to HttpOnly on PrimeFaces premium theme
- Cookie without the secure flag jboss 5.1
- Appscan Issues: Authentication.Credentials.Unprotected
- Javafx WebEngine read secured cookies
- Missing Secure attributes in cookies: WL_PERSISTENT_COOKIE and testcookie
- j_security_check with Primefaces
- Cookies set as "secure" do not appear in Chrome and IE
- Fixing No PolicyContextHandler for key=javax.servlet.http.HttpServletResponse exception
- Jmeter cookie manager does not seem to work with HTTPS login