Recipe Name:
Session configuration: Cookies: Configure Secure flag
Description:
Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Web
  • OWASP Top 10
Documentation

Cookies should be configured securely using the http-only and secure settings.

Ensure the cookie is only sent over HTTPS by setting the setUseSecureCookie() flag to true. Otherwise, when using the default setting, the cookie will be sent over an unencrypted HTTP connection and the session ID could be disclosed via a Man-in-the-Middle attack.

Before
DefaultCookieSerializer defaultCookieSerializer = new DefaultCookieSerializer();
After
DefaultCookieSerializer defaultCookieSerializer = new DefaultCookieSerializer();
    defaultCookieSerializer.setUseSecureCookie(true);
Resources
Recipe
id: scw:spring:web:cookie-missing-secure
version: 10
metadata:
  name: 'Session configuration: Cookies: Configure Secure flag'
  shortDescription: Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true
  level: error
  language: java
  scwCategory: improper_session_handling:improper_flags_in_cookie_headers
  enabled: true
  descriptionFile: descriptions/SessionconfigurationCookiesConfigureSecureflag.html
  tags: Spring;security;framework specific;web;Spring Web;OWASP Top 10
search:
  instanceCreation:
    not:
      followedBy:
        methodcall:
          name: setUseSecureCookie
    type: org.springframework.session.web.http.DefaultCookieSerializer
availableFixes:
- name: Set Secure flag to true
  actions:
  - addMethodCall:
      name: setUseSecureCookie
      arguments:
      - "true"
      position: first-available-spot