Description
The absence of the Secure flag in session cookies allows them to be transmitted over unencrypted connections, making them vulnerable to interception by attackers conducting man-in-the-middle (MitM) attacks. A session cookie without the Secure flag can be captured by attackers monitoring network traffic.
Recommendation
To enhance security, always set the Secure flag for session cookies, especially those containing sensitive information such as session tokens or user credentials. This ensures that session cookies are only transmitted over secure, encrypted connections, mitigating the risk of interception by attackers.
References
- OWASP: Secure Cookie Flag
- OWASP: Session Management Cheat Sheet
- Wikipedia: Man-in-the-middle attack
- MDN Web Docs: Secure cookie
- CWE-16
- CWE-614
- OWASP 2021-A5