Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The Pyramid AuthTkt authentication cookie is being created without setting the ‘secure’ flag to True. This means the cookie can be sent over unencrypted HTTP connections, making it vulnerable to interception.
Impact#
If exploited, an attacker on the same network could steal authentication cookies during transmission, potentially gaining unauthorized access to user accounts and sensitive data. This compromises session integrity and can lead to account takeover or data breaches.