Given the default configuration (of course you can break this): 2013+ always uses the “private computer” option
2013+ must be secured with ssl/tls 2013+ always sets httpOnly on the cookie, which with the above, means that secure is implied 2013+ do not support browsers that do not support httpOnly From: [email protected] [mailto:[email protected]] On Behalf Of Graeme Carstairs Sent: Friday, November 4, 2016 5:31 AM To: [email protected] Subject: [Exchange] PCI Audit Failure Cookie Does Not Contain The "secure" Attribute port 443 Hi, We have client that is currently undergoing PCI Audit, and they company keeps flaggin up the following Cookie Does Not Contain The "secure" Attribute port 443 If the associated risk of a compromised account is high, apply the "secure" attribute to cookies and force all sensitive requests to be sent via HTTPS This is on their OWA in Exchange 2013, my googling only finds how to set this in OWA 2007 and 2010 by adding the follwoing into the web.config <httpCookies httpOnlyCookies="true" requireSSL="true"/> I can only find mention that this is not needed in 2013 but I need to know how to set it or how to explain to the PCI company that it is not needed in 2013, as 2013 has its own XSS protection. Thanks Graeme -- Good news everyone, you have just received an e-mail from me!
