Insufficiently protected credentials: session cookie domain not set
Description
The session middleware settings do not specify the domain of the cookie. This indicates the domain of the cookie and should be used to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.
Examples
Insecure Code
javascript
const session = require('express-session');
const app = express();
app.use(session({ secret: 'secret' }));Secure Code
javascript
const session = require('express-session');
const app = express();
app.use(session({ secret: 'secret', cookie: { domain: 'example.com' } }));Remediation
Set the domain attribute in the session cookie settings, e.g., $SESSION({ cookie: { domain: 'example.com' } })
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0389 |
| Category | Auth |
| Severity | MEDIUM |
| CWE | CWE-522 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | session cookie, authentication |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |