Recipe Name:
Session configuration: Cookies: Configure Secure flag
Description:
Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true
Level:
error
Language:
- java
Tags:
- Spring
- security
- framework specific
- web
- Spring Web
- OWASP Top 10
Documentation
Cookies should be configured securely using the http-only and secure settings.
Ensure the cookie is only sent over HTTPS by setting the setUseSecureCookie() flag to true. Otherwise, when using the default setting, the cookie will be sent over an unencrypted HTTP connection and the session ID could be disclosed via a Man-in-the-Middle attack.
DefaultCookieSerializer defaultCookieSerializer = new DefaultCookieSerializer();After
DefaultCookieSerializer defaultCookieSerializer = new DefaultCookieSerializer();
defaultCookieSerializer.setUseSecureCookie(true);
Resources
Recipe
id: scw:spring:web:cookie-missing-secure
version: 10
metadata:
name: 'Session configuration: Cookies: Configure Secure flag'
shortDescription: Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true
level: error
language: java
scwCategory: improper_session_handling:improper_flags_in_cookie_headers
enabled: true
descriptionFile: descriptions/SessionconfigurationCookiesConfigureSecureflag.html
tags: Spring;security;framework specific;web;Spring Web;OWASP Top 10
search:
instanceCreation:
not:
followedBy:
methodcall:
name: setUseSecureCookie
type: org.springframework.session.web.http.DefaultCookieSerializer
availableFixes:
- name: Set Secure flag to true
actions:
- addMethodCall:
name: setUseSecureCookie
arguments:
- "true"
position: first-available-spot