Insecure Cookie Creation
Description
A new cookie is created without the Secure flag set, allowing it to be sent over insecure communication channels.
Examples
Insecure Code
scala
val C = new javax.servlet.http.Cookie("name", "value");
response.addCookie(C);Secure Code
scala
val C = new javax.servlet.http.Cookie("name", "value");
C.setSecure(true);
response.addCookie(C);Remediation
Set the Secure flag to true when creating a new cookie using the setSecure(true) method.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0008 |
| Category | Web |
| Severity | LOW |
| CWE | CWE-539 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | cookie, secure flag |
| OWASP | N/A |