These docs are for v1.1. Click to read the latest docs for v1.2.

Sensitive Cookie in HTTPS Session Without Secure Attribute

Severity: Low
Test name: Cookie Security Check

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it is used to tell if two requests came from the same browser (keeping a user logged-in, for example).

One of the ways to protect sensitive cookies is to ensure that they are sent securely and are not accessed by unintended parties or scripts: use the Secure attribute. A cookie with the Secure attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP (except on localhost). It prevents attackers from accessing cookies easily by intercepting unsecured HTTP requests with plaintext cookies. Insecure sites (with http: in the URL) cannot set cookies with the Secure attribute.


This vulnerability allows an attacker to read the application data.


The issue can be found in the source code on the server side.

Remedy suggestions

It is necessary to configure (enable) the Secure attribute for sensitive cookies.

  • .NET
    * "Web.config" :


    * C# :
        new HttpCookie("key", "value")
            Secure = true
  • PHP

    • "php.ini" :
    session.cookie_secure = True
    • During a script (parameter $secure should be set to true):
    void session_set_cookie_params ( int $lifetime  [, string $path  [, string $domain [, bool $secure= false  [, bool $httponly= false  ]]]] )
    • Application cookies (parameter $secure should be set to true):
    bool setcookie ( string $name  [, string $value  [, int $expire= 0  [, string $path  [, string $domain  [, bool $secure= false  [, bool $httponly= false  ]]]]]] )
  • CWE-614
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N