Help with securing "route" cookie
francis at daoine.org
Mon Nov 21 14:35:20 UTC 2016
On Sat, Nov 19, 2016 at 01:08:24PM -0800, Gerard Mattison wrote:
> One of the issue I having is that when I ran a vulnerability assessment,
> the "route" cookie is coming up as not secure.
It looks like the cookie should be secure.
Is there any change that you used this browser to access this server;
then reconfigured the server to add the "secure" options and reloaded
the config; and then refreshed the page in the browser?
If so, that would explain it -- you have to arrange that the browser
removes the previous session cookie (for example, by closing the browser
or just by deleting the cookie). If the browser presents a cookie,
the server will not send a new one.
And it is only the new one that will be marked "Secure" or not.
Good luck with it,
Francis Daly francis at daoine.org
More information about the nginx