Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The session cookie is being set without the ‘Secure’ flag, which means it can be sent over unencrypted HTTP connections. This makes the cookie vulnerable to interception by attackers on unsecured networks.
Impact#
If the ‘Secure’ flag is not set, sensitive session cookies could be stolen via network sniffing on public Wi-Fi or other insecure channels. This could allow attackers to hijack user sessions, impersonate users, and gain unauthorized access to protected areas of the application.