09 May 2019 11:09 PM
Hi.
We are working with Dynatrace Saas, with OneAgent
version 1.157.201.20181211-092722
The security department of our
company found a warning security risk.
Cookie Does Not Contain The
¨secure¨ Attribute
Impact: Cookies with “secure”
attribute are one permitted to be sent via HTTPS. Cookies sent via HTTP expose
an unsuspecting user to sniffing attacks that could lead to user impersonation
or compromise of the application account.
HTTP Cookie missing Secure
attribute on port 443.
Set-Cookie:
dtCookie==3=srv=3=sn=3A695446E5F92C0A76D24CFC824D60B4=perc=100000=ol=0=mul=1;
Path=/
Could anybody please tell us
if there is an option we could configure to avoid this warning?
I have seen something similar
but in AppMon
Solved! Go to Solution.
10 May 2019 07:56 AM
Go to Application settings => Advanced:
Here is option you need.
Sebastian
23 May 2019 05:06 PM - last edited on 26 Nov 2021 02:30 PM by Karolina_Linda
We already set the set the attibute to our application but the the result scan still says the cookie is not secured.
Please anwser the two questions:
Q1. Is there any something else we should configure? Maybe in the two host of our dmz cluster?
Q2. Our two dmz host have the latest available version : OneAgent version 1.167.176.20190508-104947, however, the Cookie and header settings requires OneAgent version 1.87 or highter
but the point is the latest version available for us is 1.167....
So I think something is wrong: or the label which ask 1.87 version or why we only can see until 1.167 version...
Thanks a lot.
23 May 2019 07:30 PM
1.167 is grater version than 1.87 🙂 If after reconfiguration cookie is still unsecure make sure that this applications covers all requests that you are talking about. If you have more than one application or there are some requests in default one it is possible that there are some of them without secure parameter. If not, open support ticket and put link to this questions.
Sebastian