AnsweredAssumed Answered

Webdirect connection jsessionID cookie not secure?

Question asked by wjwerner1 on Oct 30, 2015
Latest reply on Nov 3, 2015 by wjwerner1

Hi all,

I've created a webdirect solution  "web form" where I'm asking users to input personal data and want to make sure it is secure.  My web security team flagged my process saying the website doesn't secure the JSESSIONID cookie, and it could be susceptible to a MITM (man in the middle) attack.


I am using Windows Server 2012r2 with latest patches and IIS 8 -- I have a signed and trusted CA from one of the approved authorities.  I have tried to tweak the IIS settings every which way, but still can't resolve the first JSESSIONID cookie to be sent as secure only.


How should I mitigate this specific security issue?


Thank you for your input.

~WJ Werner