Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Weakness ID: 614 (Weakness Variant)Status: Draft
+ Description

Description Summary

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
+ Time of Introduction
  • Implementation
+ Demonstrative Examples

Example 1

The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true).

(Bad Code)
Example Language: Java 
Cookie c = new Cookie(ACCOUNT_ID, acctID);
response.addCookie(c);
+ Observed Examples
ReferenceDescription
CVE-2004-0462A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product.
CVE-2008-3663A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
CVE-2008-3662A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
CVE-2008-0128A product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
+ Potential Mitigations

Always set the secure attribute when the cookie should sent via HTTPS only.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base311Missing SecurityDatabase\Encrypt\Encryption of Sensitive Data
Development Concepts (primary)699
Research Concepts (primary)1000
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
102Session Sidejacking
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Anonymous Tool Vendor (under NDA)Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2008-10-14CWE Content TeamMITREInternal
updated Observed Examples
2009-03-10CWE Content TeamMITREInternal
updated Name
2009-05-27CWE Content TeamMITREInternal
updated Related Attack Patterns
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Unset Secure Attribute for Sensitive Cookies in HTTPS Session