Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The Pyramid authentication ticket cookie is being created without setting secure=True, which means the cookie can be transmitted over unencrypted HTTP connections. This exposes sensitive authentication data to interception by attackers on insecure networks.
Impact#
If exploited, an attacker could steal authentication cookies via network sniffing on unsecured connections, potentially hijacking user sessions and gaining unauthorized access to user accounts or sensitive areas of the application.