Cookie without Secure Flag
Impact: Low
Description
The Secure
cookie flag prevents the browser from sending the cookie over an unencrypted connection. A cookie with a Secure
flag is sent to the server only with an encrypted request over the HTTPS protocol. Therefore it can’t easily be accessed by a man-in-the-middle attacker.
Recommendation
Set Secure
flag for the cookie.
References
- OWASP: Secure Cookie Flag
- OWASP: Session Management Cheat Sheet
- Wikipedia: Man-in-the-middle attack
- CWE-614
- OWASP 2017-A3
- OWASP 2021-A2
- OWASP 2013-A6
- OWASP 2021-A5
👉 You might also like:
Session Cookie without Secure Flag - Vulnerability
Cookie without HttpOnly Flag - Vulnerability
Session Cookie without HttpOnly Flag - Vulnerability
Cookie without SameSite Flag - Vulnerability
Last updated on February 15, 2021