Another set-cookie attribute for secure flag

1.6k Views Asked by At

After adding the following tag in web.config

<httpCookies requireSSL="true" />

I am getting "Set-Cookie:Secure" in every response header. But I can see there are duplicate "Set-Cookie" attributes in the headers as below IBM AppScan

IBM AppScan is raising an exception - Missing Secure Attribute in Encrypted Session (SSL) Cookie. I have gone through this question and RFC 6265 but I am not clear if a response header can have another "Set-Cookie" attribute for secure flag.

0

There are 0 best solutions below