CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.0)  
Search by ID:

CWE-614: Sensitive Cookie in HTTPS Session Without "Secure" Attribute

Individual Definition in a New Window
Sensitive Cookie in HTTPS Session Without "Secure" Attribute
Status: Draft
Weakness ID: 614 (Weakness Variant)
Description
Summary

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Potential Mitigations

Always set the secure attribute when the cookie should sent via HTTPS only.

Demonstrative Examples

The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true).

Java Example:
Cookie c = new Cookie(ACCOUNT_ID, acctID);
response.addCookie(c);
Observed Examples
ReferenceDescription
A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product.
Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness BaseWeakness Base311Failure to Encrypt Sensitive Data
Development Concepts (primary)699
Research Concepts (primary)1000
Taxonomy Mappings
Mapped Taxonomy Name
Anonymous Tool Vendor (under NDA)
Time of Introduction
* Implementation
Content History
Submissions
Anonymous Tool Vendor (under NDA). (Externally Mined)
Modifications
Sean Eidemiller. Cigital. 2008-07-01. (External)
added/updated demonstrative examples
Eric Dalci. Cigital. 2008-07-01. (External)
updated Potential_Mitigations, Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Relationships, Taxonomy_Mappings
Previous Entry Names
* Unset Secure Attribute for Sensitive Cookies in HTTPS Session (changed 2008-04-11)
Page Last Updated: September 10, 2008