I'm running Exchange 2007 SP3 which is exposing outlook web access over only HTTPS. However the server delivers the sessionid
cookie without the secure
flag set. Even though I don't have port 80 open, this cookie is still vulnerable to being stolen over port 80 in the event of a man-in-the-middle attack. It also contributes to a PCI-DSS failure
Does anyone know if I can persuade the web server/application to set the secure flag?
Indeed you can. Your question got me curious so I tested it and it works.
In the web.config of the OWA app (which by default lives in \Program Files\Microsoft\Exchange Server\ClientAccess\Owa on the drive where you installed Exchange), set the following in the
<system.web>
section: