Originally posted this in the Exchange forum, but was told by the moderator that this forum would be a better fit??
Recently had a PCI compliance scan on server running SBS 2011 fail due to following errors:
1) Missing Secure Flag From SSL Cookie at IP address <serverIPaddress>, port 443, instance /OWA Recommended resolution by Scanner vendor "add the "Secure" flag to the cookie".
2) Missing HttpOnly Flag From Cookie at IP address <serverIPaddress>, port 443, instance /OWA Recommended resolution by Scanner vendor "add the "HttpOnly"" flag to the cookie".
I came across a similar question titled "Missing Secure Flag & HttpOnly Flag From SSL Cookie - OWA" that was answered by Xiu Zhangwith an answer of "it (the HttpOnly flag) cannot be changed" and "it is by design".
I also ran across another article elsewhere, where an individual apparently successly set these flags by placing the line
<httpCookieshttpOnlyCookies="true"requireSSL="true"/>
in the web.config file for OWA. This however broke OWA in my case, as in the case of the similar question referenced above. Numerous other people appear to be having the same issue as referenced by the 14 responses to this similar question asking for documentation (but with no responses from Xiu Zhang).
The bottom line is that the ASV will only give me an exception "if you can confirm that the cookies missing this flag(s) are only used before authenticating and that they do not contain sensitive data". This essentially means I need either some semi-official confirmation (other than a post in a forum) from someone at Microsoft that this is the case.
Any help would be greatly appreciated
Timothy J Walsh