Sensitive Cookie in HTTPS Session Without Secure Attribute
Test name: Cookie Security Check
Summary |
---|
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it is used to tell if two requests came from the same browser (keeping a user logged-in, for example).
One of the ways to protect sensitive cookies is to ensure that they are sent securely and are not accessed by unintended parties or scripts: use the Secure
attribute. A cookie with the Secure
attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP (except on localhost). It prevents attackers from accessing cookies easily by intercepting unsecured HTTP requests with plaintext cookies. Insecure sites (with http:
in the URL) cannot set cookies with the Secure attribute.
Impact |
---|
This vulnerability allows an attacker to read the application data.
Location |
---|
The issue can be found in the source code on the server side.
Remedy suggestions |
---|
It is necessary to configure (enable) the Secure
attribute for sensitive cookies.
- .NET
* "Web.config" :
```
<system.web>
...
</system.web>
* C# :
```js
Response.Cookies.Add(
new HttpCookie("key", "value")
{
.....
Secure = true
});
-
PHP
- "php.ini" :
session.cookie_secure = True
- During a script (parameter
$secure
should be set totrue
):
void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure= false [, bool $httponly= false ]]]] )
- Application cookies (parameter
$secure
should be set totrue
):
bool setcookie ( string $name [, string $value [, int $expire= 0 [, string $path [, string $domain [, bool $secure= false [, bool $httponly= false ]]]]]] )
Classifications |
---|
- CWE-614
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
References |
---|
Updated over 3 years ago