Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
A cookie is being set without the ‘secure’ flag, which means it can be sent over unencrypted HTTP connections. This exposes sensitive session data to interception by attackers on the network.
Impact#
If exploited, an attacker could steal session cookies by intercepting traffic over unsecured networks (like public Wi-Fi), potentially allowing unauthorized access to user accounts or sensitive data. This increases the risk of session hijacking and compromises user privacy.