Session configuration: Cookies: Set Secure flag to true :: Recipe Details

Recipe Name:

Session configuration: Cookies: Set Secure flag to true

Description:

Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true

Level:

error

Language:

java

Tags:

Spring
security
framework specific
web
Spring Web
OWASP Top 10

Documentation

Cookies should be configured securely using the http-only and secure settings.

Ensure the cookie is only sent over HTTPS by setting the setUseSecureCookie() flag to true. Otherwise, if a cookie is sent over an unencrypted HTTP connection, the session ID could be disclosed via a Man-in-the-Middle attack.

Before

cookie.setUseSecureCookie(false);

After

cookie.setUseSecureCookie(true);

Resources

OWASP - Session Management Cheat Sheet - Secure

Recipe

id: scw:spring:web:cookie-set-secure
version: 10
metadata:
  name: 'Session configuration: Cookies: Set Secure flag to true '
  shortDescription: Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true
  level: error
  language: java
  scwCategory: improper_session_handling:improper_flags_in_cookie_headers
  enabled: true
  descriptionFile: descriptions/SessionconfigurationCookiesSetSecureflagtotrue.html
  tags: Spring;security;framework specific;web;Spring Web;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "false"
    name: setUseSecureCookie
    type: org.springframework.session.web.http.DefaultCookieSerializer
availableFixes:
- name: Set Secure to true
  actions:
  - modifyArguments:
      rewrite:
        1: "true"