Read Time:1 Minute, 7 Second
Description
The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
Modes of Introduction:
– Implementation
Related Weaknesses
Consequences
Confidentiality: Read Application Data
Potential Mitigations
Phase: Implementation
Description:
Always set the secure attribute when the cookie should sent via HTTPS only.
CVE References
- CVE-2004-0462
- A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product.
- CVE-2008-3663
- A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
- CVE-2008-3662
- A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
- CVE-2008-0128
- A product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.