Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Description
The information stored in a custom cookie should not be sensitive or related to the session. In most cases, sensitive data should only be stored in session and referenced by the user's session cookie.
Examples
Insecure Code
scala
def handleRequest(req: HttpServletRequest): Unit = {
for (c <- req.getCookies) {
println(c.getName)
}
}Secure Code
scala
def handleRequest(req: HttpServletRequest): Unit = {
val session = req.getSession
// store and retrieve sensitive data from the session
}Remediation
Ensure that sensitive data is stored in the session and referenced by the user's session cookie, and consider setting the 'Secure' attribute for custom cookies.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0010 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-614 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | cookie, session, sensitive data |
| OWASP | N/A |