I get the following from McAfee Secure. I did not get this vulnerability when I was using 1.3.5. I am currently using 2.10.
Any suggestions on how to fix this? (Below is the explanition from McAfee)
The remote host appears to have set a potentially sensitive persistent cookie across the internet in plain text.
An HTTP cookie is a piece of text-based data created by a website and sent to a web browser client and then sent back to the website without modification by the browser. The various uses for HTTP cookies include authentication, differentiation of users, maintaining data related to a user when they are viewing the website, maintaining a list of contents stored as when used by a shopping cart application, etc. In short, this is a way to identify a user by the computer they used to access the site as well as providing a way for the browser to keep the session in memory for subsequent visits as well as personalization based on the preference of a particular user. Using cookies allows browser and server to “maintain state”.
The cookie that was set by the server was flagged as being potentially sensitive. Potentially sensitive information could be session tokens, user id’s, or passwords.
The potentially sensitive cookie that was also sent over a non-encrypted channel. Using secure protocols to transmit cookies normally ensures a safe method of transmission. By sending cookies over non-secure channels, the cookie the potential to be “sniffed” over network traffic. This has become a much larger issue when you take into account how many people today use wireless hot spots and public terminals.
The cookie was also persistent. Persistent cookies are saved to the clients machine in a text file format. By doing this, the cookie can be used at a later time, even after the browser has been closed. Once the expires tag (a directive sent along with the cookie) has been reached, the cookie is then deleted from the client. Attackers can view this saved cookies even after the users browser has been closed. With the amount of public terminals that are being used today, and the information that is saved in these cookies, an attacker can gain a lot of information about the users of these systems.
General Solution:
Verify the business need pertaining to the cookie. You should identify and answer ALL of the following questions:
Does the client need to send potentially sensitive information back and forth to the server?
In some cases their is a business need to do this, such as maintaining the user’s session. If this is the case, verify that the data in the cookie is encrypted.
Why is a sensitive cookie being sent over an insecure channel?
If this is a session cookie there is NO VALID REASON that this cookie is sent over an insecure channel. This cookie and potentially the entire site needs to be encrypted end-to-end using SSL.
Does the cookie need to be persistent (saved on the clients machine)?
Potentially sensitive cookies should never be saved to a clients machine. Verify the business case of why this is currently being done.