5 Replies Latest reply on Nov 3, 2015 12:36 PM by wjwerner1

    Webdirect connection jsessionID cookie not secure?

    wjwerner1

      Hi all,

      I've created a webdirect solution  "web form" where I'm asking users to input personal data and want to make sure it is secure.  My web security team flagged my process saying the website doesn't secure the JSESSIONID cookie, and it could be susceptible to a MITM (man in the middle) attack.

       

      I am using Windows Server 2012r2 with latest patches and IIS 8 -- I have a signed and trusted CA from one of the approved authorities.  I have tried to tweak the IIS settings every which way, but still can't resolve the first JSESSIONID cookie to be sent as secure only.

       

      How should I mitigate this specific security issue?

       

      Thank you for your input.

      ~WJ Werner