The Qualys Vulnerability Signatures team has identified a vulnerability that should be reported as a PCI Fail according to the most recent release of the PCI Standards. The PCI Council requires that any new failing vulnerability be reported immediately, and therefore we have marked QID 150122 Cookie Does Not Contain The "secure" Attribute as a PCI Fail effective today. Qualys expects this may affect a significant number of our customers.
QID 150122 is a PCI Fail according to PCI-DSS v3.1 requirement 6.5.10:
6.5.10 Examine software development policies and procedures and interview responsible personnel to verify that broken authentication and session management are addressed via coding techniques that commonly include:
- Flagging session tokens (for example cookies) as “secure”
- Not exposing session IDs in the URL
- Incorporating appropriate time-outs and rotation of session IDs after a successful login
If you believe your specific implementation does not pose a risk to cardholder data, or that you have sufficient compensating controls to mitigate any potential risk, please submit a request in Qualys PCI.
For reference, please see the PCI-DSS v3 documentation in the PCI-DSS Documents Library.