Failure to use secure cookies¶

ID: java/insecure-cookie
Kind: problem
Security severity: 5.0
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-614
Query suites:
   - java-code-scanning.qls
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Failing to set the ‘secure’ flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.

Recommendation¶

Always use setSecure to set the ‘secure’ flag on a cookie before adding it to an HttpServletResponse.

Example¶

This example shows two ways of adding a cookie to an HttpServletResponse. The first way leaves out the setting of the ‘secure’ flag; the second way includes the setting of the flag.

public static void test(HttpServletRequest request, HttpServletResponse response) {
	{
		Cookie cookie = new Cookie("secret", "fakesecret");
		
		// BAD: 'secure' flag not set
		response.addCookie(cookie);
	}

	{
		Cookie cookie = new Cookie("secret", "fakesecret");
		
		// GOOD: set 'secure' flag
		cookie.setSecure(true);
		response.addCookie(cookie);
	}
}

References¶

SEI CERT Oracle Coding Standard for Java: SER03-J. Do not serialize unencrypted, sensitive data.
Java Platform, Enterprise Edition (Java EE) 7, API Specification: Class Cookie.
Common Weakness Enumeration: CWE-614.

© GitHub, Inc.
Terms
Privacy

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies:

Alternative Proxy