Vestacp is an open source server management tool. Once you install it on server it becomes an integral part of your server. Also, it comes under any PCI compliance scans you would run on your server. In my case I was running PCI compliance scan by Qualys and it failed for the Cookie secure and HTTPOnly attributes, something like this:
- Cookie Does Not Contain The “HTTPOnly” Attribute
- Cookie Does Not Contain The “secure” Attribute
What are Cookie secure and HTTPOnly attributes?
Websites use cookies to create a communication channel between user and server. A website not using an SSL certificate works through HTTP. In HTTP channel data is transferred in plain text. It applies to cookies as well. Since data is in plain text any attacker can eavesdrops between the user and server to read the data.
Website using SSL uses secured HTTPS protocol to communicate with user. In this case if an attacker intercepts the communication and tries to read the data he won’t as data is encrypted and almost impossible to read.
Now here question arises that if my website uses HTTPS why do I need to set HTTPOnly and secure attributes. There is a catch there. Any website using HTTPS can also be accessed through HTTP. Most site owners implement a redirection mechanism so that any non HTTPS requests are routed to HTTPS protocol.
With this possibility to reach website with HTTP we need to tell the server or script to not use HTTP or plain text protocol to deliver cookies and only deliver them using HTTPS channel only.
How to make HTTPOnly and secure Cookie attributes work?
Implementing Cookie secure and HTTPOnly on Apache server
In Apache you can edit httpd.conf file to add the following rule to headers as following.
- Make sure that mod_headers module is enabled
- Add the following code to httpd.conf file
<IfModule mod_headers.c> Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure </IfModule>
Note: Header edit is not compatible with lower than Apache 2.2.4 version. So the following code should be used, within the <ifModule> block, of course.
Header set Set-Cookie HttpOnly;Secure
- Restart Apache to view the change
In nginx server
- Set the following in nginx.conf file under server or http directives. Example:
server { proxy_cookie_path / "/; secure; HttpOnly"; }
- Restart nginix
In vestacp
/usr/local/vesta/nginx/conf/nginx.conf
server { proxy_cookie_path / "/; secure; HttpOnly"; }
<IfModule mod_headers.c> Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure </IfModule>
service vesta restart
Hint: In Vestacp there is a Server section where you can edit Apache & nginx conf files through admin panel. Just add the above given lines of code and save with Restart option checked. It should take effect.
If making changes to httpd.conf and/or nginx.conf does not work try changing session settings in php.ini file. Location of php.ini in my Centos 7 system was /usr/local/vesta/php/lib/php.ini
Once located php.in search for these two settings in your php.in file and set them to 1
- session.cookie_secure=1
- session.http_only=1
After making changes to settings in vestacp from ssh restart vestacp service:
service vesta restart