Recipe Name:
Session configuration: Cookies: Configure Secure flag
Description:
Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true
Level:
error
Language:
  • java
Tags:
  • security
  • web
  • Apache Shiro
  • OWASP Top 10
Documentation

Cookies should be configured securely using the http-only and secure settings.

Using setSecure(true) ensures the cookie is only sent over HTTPS. Otherwise, when using the default setting, the cookie will be sent over an unencrypted HTTP connection. This enables attackers to sniff the contents of the cookie, possibly leading to disclosure of the session ID's via a Man-in-the-Middle attack.

Using setHttpOnly(true), can only be accessed through the HTTP protocol, protecting it from client-side scripts. Cookies are frequently the target of Cross-Site Scripting (XSS) attacks. Setting these flags will mitigate many XSS attack vectors.

Before
SimpleCookie simpleCookie = new SimpleCookie();
After
SimpleCookie simpleCookie = new SimpleCookie();
simpleCookie.setSecure(true);
simpleCookie.setHttpOnly(true);
Resources
Recipe
id: scw:web:apache:simplecookie-missing-secure
version: 10
metadata:
  name: 'Session configuration: Cookies: Configure Secure flag'
  shortDescription: Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true
  level: error
  language: java
  scwCategory: improper_session_handling:improper_flags_in_cookie_headers
  enabled: true
  descriptionFile: descriptions/CookieFlags_SimpleCookie.html
  tags: security;web;Apache Shiro;OWASP Top 10
search:
  instanceCreation:
    not:
      followedBy:
        methodcall:
          name: setSecure
    type: org.apache.shiro.web.servlet.SimpleCookie
availableFixes:
- name: Set the Secure flag to true
  actions:
  - addMethodCall:
      name: setSecure
      arguments:
      - "true"
      position: first-available-spot