SessionID cookie without secure flag set

[hashtaginfosec]

The sessionid cookie does not utilize "secure" flag. Hence, even with the use of TLS, the cookie can be intercepted by listening for pages that may not use TLS. Note that offering the whole website over HTTPS is not a sufficient defense. If a user were to accidentally access the site over HTTP, the server would redirect them to HTTPS; however, that HTTP request has already offered up the cookie "sessionid" to an eavesdropper.

Proof:

$ curl -I https://rockster -k
HTTP/1.1 200 OK
Date: Fri, 29 Jun 2018 04:51:01 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=20
Server: gunicorn/19.7.1
Vary: Cookie
Set-Cookie: csrftoken=vTT6s49oGF6DH7MDSOpxE9cjnBGwN2TI; expires=Fri, 28-Jun-2019 04:51:01 GMT; Max-Age=31449600; Path=/

Accessing HTTPS site over HTTP:

Remediation: Set-Cookie: <cookie-name>=<cookie-value>; Secure

For more https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

Possible pitfall: According to Mozilla document referenced above,

Insecure sites (http:) can't set cookies with the "secure" directive anymore (new in Chrome 52+ and Firefox 52+).

[phillxnet]

@hashtaginfosec Thanks for another thorough report. Please seem my response in your last issue re pr submissions (#1940) as you are most welcome to submit a pr to address this issue.

Thanks again for your efforts in this area, much appreciated.

@schakrava and @MFlyer more in your areas this one again I'm afraid.

[hashtaginfosec]

Thanks @phillxnet. I'm working on producing a solution locally and once tested (and barring time constraints) I'll be working on a pull request.

[phillxnet]

Great. It will be nice to have another code contributor on-board.