Insecure cookie fails security scan

5 个月 前
Our site running Nop 4.30 is scanned by Trustwave and has failed as the .Nop.Customer cookie is flagged up as insecure. When I look in the dev tools in Chrome I only see the cookie as secure, however Trustwave sent this Curl output that shows 2 entries for .Nop.Customer, the first one doesn't have the secure flag set but the 2nd one does.

Any idea why there are two entries and how to stop this or ensure both are using the secure flag. It looks like the cookie is only set from WebWorkContext.SetCustomerCookie() which looks like it is setting the secure flag correctly.

[[email protected] ~]$ curl -Ik https://82.223.26.91/
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: .Nop.Customer=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/
Set-Cookie: .Nop.Customer=7c0d8518-eeb2-4324-8187-fc7a53cfc9d3; expires=Thu, 05 Aug 2021 17:32:23 GMT; path=/; secure; httponly
Set-Cookie: .Nop.TempData=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; secure; samesite=lax; httponly
5 个月 前
Further previous post Trustwave is also failing the security scan as it says the .Nop.Customer cookie doesn't have the httponly flag set:

"The website software running on this server appears to be setting session cookies without the HttpOnly flag set. This means the session identifier information in these cookies is susceptible to attacks such as Cross-site Scripting which may allow attackers to read this cookie's data."

Their evidence is the same as above where the curl response shows two .Nop.Customer cookies, one with the httponly flag set and the other without it. I don't understand why this isn't visible in the Chrome dev tools?

Really need some help on this or we won't be able to take card payments.
5 个月 前
You could override the SetCustomerCookie method with:


            //set new cookie value
            var options = new CookieOptions
            {
                Secure = true,
                HttpOnly = true,
                Expires = cookieExpiresDate
            };


Beyond that I would protest the findings with screenshots of your devtools proving that the cookie is secure and httponly.  Trustwave will have a human review the protest and put an exclusion on that rule for your account.