AnsweredAssumed Answered

False Positive missing HTTPOnly and secure on Expired cookies

Question asked by J T on Jan 7, 2016
Latest reply on Jan 9, 2016 by Axel

Have an application (.NET) that is being run through an authenticated scan. Upon logout the session cookie is invalidated by setting the expires to Jan 1, 1970. This is done by .NET using a builtin signout mechanism which we are not in control of. It does not set the HTTPOnly or secure attributes because the cookie is dead and contains no value and therefore is not a risk.

 

Here is an example of the cookie that the scanner detected in it's output (cookie name and domain changed obviously)

 

examplecookie=; expires=Thu Jan 1 00:00:00 1970; path=/; domain=exampledomain.com

 

The scanner still believes that an expired cookie is a threat, is there anything that can be done? I don't want to disable this type of scan all together, but in this case, it's a non-issue.

Outcomes