javax.servlet.http — insecure cookie
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
This rule identifies and flags any instance where cookies in Java web applications are created or set without the Secure flag. The absence of this flag allows the cookie to be transmitted over non-HTTPS connections, which poses a risk of interception by an attacker, especially through machine-in-the-middle (MITM) attacks.
Cookies are often used to store sensitive information such as session identifiers and personal data. When a cookie is set without the Secure flag, it can be sent over both secure (HTTPS) and insecure (HTTP) connections. This vulnerability exposes the cookie to potential interception when transmitted over an insecure connection. To mitigate this risk, the Secure flag should be set on all cookies that are intended for HTTPS sites, ensuring they are only sent via secure connections.
Example
| CookieSecureFalse.java | |
|---|---|
Example Output
> precli tests/unit/rules/java/stdlib/javax_servlet_http/examples/CookieSecureFalse.java
⚠️ Warning on line 7 in tests/unit/rules/java/stdlib/javax_servlet_http/examples/CookieSecureFalse.java
JAV005: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
The cookie 'cookie' was found without the 'Secure' flag set.
Remediation
All cookies containing sensitive data or used in a secure context must have the Secure flag enabled. This practice ensures that the cookies are transmitted only over HTTPS, providing protection against eavesdropping and MITM attacks on the communication channel.
| CookieSecureFalse.java | |
|---|---|
Default Configuration
See also
Info
New in version 0.5.1