Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code sets a cookie in a Pyramid web application without enabling the ‘secure’ flag. This means the cookie can be sent over unencrypted (HTTP) connections, exposing sensitive data to interception.
Impact#
If exploited, attackers could steal session cookies over unsecured networks, leading to account hijacking or unauthorized access to user data. This weakens the overall security of your application and puts users at risk.