CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Description

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Submission Date :

May 7, 2007, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Example Vulnerable Codes

Example - 1

The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true).


Cookie c = new Cookie(ACCOUNT_ID, acctID);response.addCookie(c);

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-319: Cleartext Transmission of Sensitive Information

Go to

Visit http://cwe.mitre.org/ for more details.