1

During a security audit, our client found that we are sending to the client a cookie called 'x-oracle-dms-ecid'. They asked to disable it or change its name. We have been reading all the Oracle documentation available, but we couldn't find any useful reference.

So my questions are:

  • How can this cookie be changed or disabled?
  • What exactly is it used for and what are the possible consequences if we change it?
  • Is it really a security incident?
S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
amusero
  • 73
  • 1
  • 5
  • I'm afraid I don't know how you'd change it. As to whether it's a security issue, I'd say that depends. the name provides a bit of information about the tech. the site is based on to an attacker (clearly identifies that it's an Oracle product probably their dynamic monitoring service), so I'd generally rate this as a "low" or "informational" finding. If your site is super-high security it might be worth addressing but in most cases I wouldn't do it unless it was an easy/low risk change. – Rory McCune Aug 22 '14 at 19:08

1 Answers1

2

Disable by adding the following lines in your Httpd.conf:

Header unset X-ORACLE-DMS-ECID
Header always unset X-ORACLE-DMS-ECID
Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Akhil Dev
  • 36
  • 2