Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Description
Storing sensitive data in a persistent cookie for an extended period can lead to a breach of confidentiality or account compromise.
Examples
Insecure Code
scala
val cookie = new Cookie("session", "value"); cookie.setMaxAge(31536000)Secure Code
scala
val cookie = new Cookie("session", "value"); cookie.setSecure(true); cookie.setMaxAge(3600)Remediation
Set the 'Secure' attribute for the cookie and consider using a shorter max age.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0009 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-614 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | cookie, https, security |
| OWASP | N/A |