Skip to content

Insecure Cookie Flag

What does this mean ?

The secure flag is an option that the application server can provide when providing a new cookie to the user as part of an HTTP Response. The secure flag's aim is to prevent cookies from being seen by unauthorized parties owing to the cookie's transfer in clear text. To achieve this, browsers that support the secure flag will only transmit cookies with the secure flag when the request is for an HTTPS page. To put it another way, a cookie with the secure flag set will not be sent via an unencrypted HTTP request. Setting the secure flag prevents the browser from sending a cookie over an unencrypted connection.

What can happen ?

If your browser transfers cookies via unencrypted connections, hackers may be able to intercept your connection and read (or even modify) the contents of your cookies.

Recommendation

  • The HTTPOnly option prohibits scripts from accessing cookie data. The cookie will only be used in HTTP(S) queries, as the name HTTPOnly indicates.
  • When cookies contain sensitive information, you should always set the Secure setting.

Sample Code

Vulnerable :

HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.Secure = false; //  Sensitive: a security-sensitive cookie is created with the secure flag set to false

Non Vulnerable :

HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.Secure = true; // Compliant: the security-sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (Secure property) set to true

Vulnerable :

Cookie c = new Cookie(COOKIENAME, sensitivedata);
c.setSecure(false);  // Sensitive: a security-ensitive cookie is created with the secure flag set to false

Non Vulnerable :

Cookie c = new Cookie(COOKIENAME, sensitivedata);
c.setSecure(true); // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag set to true

Vulnerable :

$value = "sensitive data";
setcookie($name, $value, $expire, $path, $domain);  // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) not defined (by default to false)
setrawcookie($name, $value, $expire, $path, $domain);  // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) not defined (by default to false)

Non Vulnerable :

$value = "sensitive data";
setcookie($name, $value, $expire, $path, $domain, true); // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the sixth  argument) set to true
setrawcookie($name, $value, $expire, $path, $domain, true);// Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the sixth argument) set to true

Vulnerable :

const express = require('express');
const session = require('express-session');

const app = express();
app.use(session({
    cookie:
    {
        secure: false // Vulnerable
    }
}));

Non Vulnerable :

const express = require('express');
const session = require('express-session');

const app = express();
app.use(session({
    cookie:
    {
        secure: true // Non Vulnerable
    }
}));

Vulnerable :

const session = cookieSession({
    secure: false, // Vulnerable
});  // Vulnerable

Non Vulnerable :

const session = cookieSession({
    secure: true, // Non Vulnerable
});  // Non Vulnerable

References