Session Cookie without Secure Flag

Impact: Medium


The absence of the Secure flag in session cookies allows them to be transmitted over unencrypted connections, making them vulnerable to interception by attackers conducting man-in-the-middle (MitM) attacks. A session cookie without the Secure flag can be captured by attackers monitoring network traffic.


To enhance security, always set the Secure flag for session cookies, especially those containing sensitive information such as session tokens or user credentials. This ensures that session cookies are only transmitted over secure, encrypted connections, mitigating the risk of interception by attackers.


Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue