In the never-ending saga of penetration testing, we got dinged this morning on a clients server with the following error

After much research I discovered that the reason it was complain was it ways getting that Set Cookie line coming in as a Header on responses from the site.

BTW, I discovered that you can see the headers that come into a response using the Chrome Developers tools by doing the following:

• Navigate to the site
• Open the Developers tools (Control-Shift-J or right click and choose inspect)
• Switch to the network tab
• Refresh the page
• Click on the main page file (should be first element in the list)
• And you can see all the headers etc. Like so:

That second Set-Cookie line is what they are complaining about. BTW that first Set-Cookie line is coming from WEBDEV and is the session tracking

Here is where the irony comes in, the reason that the extra Set-Cookie line is there is because of a line in our Apache config file that we added several years ago to make a separate penetration testing happy. We had this in our vhost file

I certainly didn’t dream that up on my own 🙂 Well it turns out that in older 2.2 versions of Apache that was how the line needs to read in order to append those attributes to all the headers of the site. But in newer 2.4 versions of Apache, it sends it as a separate line instead of appending it.

More research eventually led me to how the line needs to be written in the latest versions of Apache, as below:

Notice I am only appending Secure since the other attributes are already being written by WEBDEV

And now when we look at the headers for the site we get

And all is once again right in the world according to this particular round of penetration testing. Subject to change by the time I press the Publish button on this article!! But such is the life of Web Administrators 😦

• WEBDEV