Sensitive cookie in HTTPS session without 'Secure' attribute
Description
The `Secure` attribute when set to `true` protects the cookie value from being transmitted over clear text communication paths such as HTTP. By enabling this protection, the cookie will only be sent over HTTPS. Session cookies should be configured with the following security directives: HTTPOnly, SameSite, and Secure.
Examples
Insecure Code
c#
var cookie = new HttpCookie("SomeCookieName", "SomeValue");Secure Code
c#
var someCookie = new HttpCookie("SomeCookieName", "SomeValue");
someCookie.Secure = true;Remediation
Set the `Secure` attribute to `true` for the HttpCookie object, e.g., `someCookie.Secure = true;`
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0440 |
| Category | Secrets |
| Severity | LOW |
| CWE | CWE-614 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | cookie, secure, https |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |