Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

JAV005

insecure_cookie

CWE-614

⚠️ Warning

---

This rule identifies and flags any instance where cookies in Java web applications are created or set without the Secure flag. The absence of this flag allows the cookie to be transmitted over non-HTTPS connections, which poses a risk of interception by an attacker, especially through man-in-the-middle (MITM) attacks.

Cookies are often used to store sensitive information such as session identifiers and personal data. When a cookie is set without the Secure flag, it can be sent over both secure (HTTPS) and insecure (HTTP) connections. This vulnerability exposes the cookie to potential interception when transmitted over an insecure connection. To mitigate this risk, the Secure flag should be set on all cookies that are intended for HTTPS sites, ensuring they are only sent via secure connections.

Example

import javax.servlet.http.Cookie;

public class SessionCookie {
    public static void main(String[] args) {
        Cookie cookie = new Cookie("cookieName", "cookieValue");
        cookie.setSecure(false);
    }
}

Remediation

All cookies containing sensitive data or used in a secure context must have the Secure flag enabled. This practice ensures that the cookies are transmitted only over HTTPS, providing protection against eavesdropping and MITM attacks on the communication channel.

import javax.servlet.http.Cookie;

public class SessionCookie {
    public static void main(String[] args) {
        Cookie cookie = new Cookie("cookieName", "cookieValue");
        cookie.setSecure(true);
    }
}

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (JAV005) or rule category name (insecure_cookie).

Using rule ID

fix

import javax.servlet.http.Cookie;

public class SessionCookie {
    public static void main(String[] args) {
        Cookie cookie = new Cookie("cookieName", "cookieValue");
        // suppress: JAV005
        cookie.setSecure(false);
    }
}

Using category name

fix

import javax.servlet.http.Cookie;

public class SessionCookie {
    public static void main(String[] args) {
        Cookie cookie = new Cookie("cookieName", "cookieValue");
        // suppress: insecure_cookie
        cookie.setSecure(false);
    }
}

See also

info

• Cookie (Java(TM) EE Specification APIs)
• CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (PRNG) ::