Sensitive cookie in HTTPS session without 'Secure' attribute
Description
The 'secure' attribute is not set for the session cookie, allowing the browser to send the cookie over HTTP. This makes the session vulnerable to interception and tampering. To fix this, set the 'secure' attribute to 'true' when creating the session.
Examples
Insecure Code
javascript
const session = require('express-session');
const app = express();
app.use(session({ cookie: { maxAge: 60000 } }));Secure Code
javascript
const session = require('express-session');
const app = express();
app.use(session({ cookie: { secure: true, maxAge: 60000 } }));Remediation
Set the 'secure' attribute to 'true' when creating the session, for example: $SESSION({ cookie: { secure: true } })
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0394 |
| Category | Auth |
| Severity | MEDIUM |
| CWE | CWE-614 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | session, cookie, https |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |