Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Cookies are being set in Pyramid applications without the ‘secure’ flag enabled, which means they may be sent over unencrypted HTTP connections. This makes the cookies vulnerable to interception.
Impact#
If an attacker intercepts network traffic, they could steal session or authentication cookies sent over insecure connections, potentially leading to account takeovers or unauthorized access to sensitive user data.