Insufficiently protected credentials: session cookie path not set
Description
The session middleware settings do not specify the path for the cookie. This indicates the path of the cookie and is used to compare against the request path. If the path and domain match, the cookie is sent in the request. Not setting the path can lead to insecure cookie usage.
Examples
Insecure Code
javascript
const session = require('express-session');
app.use(session({}));Secure Code
javascript
const session = require('express-session');
app.use(session({ cookie: { path: '/' } }));Remediation
Set the path for the session cookie by adding the `path` property to the cookie options. For example: $SESSION({ cookie: { path: '/' } })
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0392 |
| Category | Auth |
| Severity | MEDIUM |
| CWE | CWE-522 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | session cookie, authentication |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |