Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code creates cookies without setting the ‘secure’ flag, allowing them to be sent over unencrypted HTTP connections. This exposes sensitive cookie data to interception by attackers on the network.
Impact#
If exploited, attackers could capture session cookies or other sensitive data via network sniffing, leading to session hijacking or unauthorized access to user accounts. This weakens the application’s overall security, especially when users connect over public or unsecured networks.