question

Jonathan P. avatar image
Jonathan P. asked ·

Cookie Does Not Contain The ¨secure¨ Attribute in SaaS

Hi.

We are working with Dynatrace Saas, with OneAgent version 1.157.201.20181211-092722

The security department of our company found a warning security risk.

Cookie Does Not Contain The ¨secure¨ Attribute

Impact: Cookies with “secure” attribute are one permitted to be sent via HTTPS. Cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account.

HTTP Cookie missing Secure attribute on port 443.

Set-Cookie: dtCookie==3=srv=3=sn=3A695446E5F92C0A76D24CFC824D60B4=perc=100000=ol=0=mul=1; Path=/

Could anybody please tell us if there is an option we could configure to avoid this warning?

I have seen something similar but in AppMon

user session monitoringsecurity
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Sebastian K. avatar image
Sebastian K. answered ·

Go to Application settings => Advanced:

Here is option you need.

Sebastian


Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Jonathan P. avatar image
Jonathan P. answered ·

We already set the set the attibute to our application but the the result scan still says the cookie is not secured.


Please anwser the two questions:

Q1. Is there any something else we should configure? Maybe in the two host of our dmz cluster?

Q2. Our two dmz host have the latest available version : OneAgent version 1.167.176.20190508-104947, however, the Cookie and header settings requires OneAgent version 1.87 or highter



but the point is the latest version available for us is 1.167....

Available version for us


So I think something is wrong: or the label which ask 1.87 version or why we only can see until 1.167 version...


Thanks a lot.




1 comment Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

1.167 is grater version than 1.87 :) If after reconfiguration cookie is still unsecure make sure that this applications covers all requests that you are talking about. If you have more than one application or there are some requests in default one it is possible that there are some of them without secure parameter. If not, open support ticket and put link to this questions.

Sebastian

0 Likes 0 · ·

Space Topics

mobile monitoring dotnet synthetic monitoring reports iis chat kubernetes servicenow amazon web services mysql mainframe rest api errors cassandra dashboard oneagent sdk cmc application monitoring openkit smartscape request attributes monitoring developer community user tagging log monitoring services ufo syntheticadvisory activegate ip addresses auto-detection high five award oracle hyperion webserver uem usql iib test automation license web performance monitoring ios news migration management zones index ibm mq web services custom event alerts notifications sso host monitoring knowledge sharing reports browser monitors java hybris sap vmware maintenance window user action naming javascript appmon ai synthetic classic availability tipstricks automation extensions session replay diagnostic tools permissions davis assistant faq documentation problem detection http monitors server easytravel apdex aws-quickstart network docker tags and metadata cloud foundry google cloud platform synthetic monitoring process groups account usability dynatrace saas gui paas openshift key user actions administration user actions postgresql synthetic locations oneagent security Dynatrace Managed user management custom python technologies mongodb openstack user session monitoring continuous delivery citrix configuration alerting NGINX action naming linux nam installation masking error reporting database mission control jmeter recorder apache mobileapp RUM php threshold azure purepath davis scripting agent aix nodejs android