Symptoms
After obtaining a PCI scan, the report shows the below similar information:
Cookie Does Not Contain The "secure" Attribute port 2082 / tcp
Cookie Does Not Contain The "secure" Attribute port 2086 / tcp
Cookie Does Not Contain The "secure" Attribute port 2095 / tcp
Description
The cPanel Web Services Daemon (cpsrvd) will require SSL to login by default.
WHM Tweak Settings:
WHM Server Configuration - Tweak Settings > Security Tab
Require SSL for cPanel Services This setting requires that passwords and other
sensitive information use SSL encryption. We strongly recommend that you
enable this setting.
On — Require encryption. ( Default )
Off — Don’t require encryption.
Secure cookies can't be configured on non-SSL ports. To remedy this, cPanel only allows login to occur on SSL URLs and forces a redirect to the SSL URL by default. The SSL ports are:
- 2083 ( cPanel Login )
- 2087 ( WHM Login )
- 2096 ( Webmail Login )
Workaround
Suppose the PCI vendor is reporting that this is a concern in the scan. Ensure the default setting to require SSL to login is selected in the WHM tweak settings interface. After saving the change, submit this concern as a false match as the secure cookie is present on URLs which allow login to occur.