In our web application we are facing security risk issue reported by the security scan team. The issue is, we have a cookie called opentoken and its set as a secure one. But while passing the through SSL that particular cookies in not accessible through SSL.
The secure cookie (opentoken) is not sent over SSL
AttackResponse: HTTP/1.1302FoundCCaocnhteen-Ct-oLnetnrgotl:h :p r1iv4a2teReportDate:4/27/20156Content-Length:142Content-Type: text/html; charset=iso-8859-1Location:/Login.aspx?ReturnUrl=%2fServer:Microsoft-IIS/7.5 X-AspNet-Version:4.0.30319 X-Powered-By: ASP.NET X-Frame-Options: SAMEORIGINSet-Cookie:OpenToken=b86058b4675af6e5ff8aee7ce7e5d183d426a6cd23ef3f835859c8c6417206fa;Path=/;Domain=domain.us X-Powered-By: ARR/2.5 X-Powered-By: ASP.NETDa...TRUNCATED...
Is there was a way to get it so it is passed over SSL, not whether or not it is a true security concern. I don't run security scans against our web servers, we have a security tech who does it. It was simply flagged as a possible medium level issue.
Help is highly appreciated.