ID: java/insecure-cookie Kind: problem Security severity: 4.0 Severity: error Precision: high Tags: - security - external/cwe/cwe-614 Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
Failing to set the ‘secure’ flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.
Recommendation¶
Always use setSecure to set the ‘secure’ flag on a cookie before adding it to an HttpServletResponse.
Example¶
This example shows two ways of adding a cookie to an HttpServletResponse. The first way leaves out the setting of the ‘secure’ flag; the second way includes the setting of the flag.
public static void test(HttpServletRequest request, HttpServletResponse response) { { Cookie cookie = new Cookie("secret", "fakesecret"); // BAD: 'secure' flag not set response.addCookie(cookie); } { Cookie cookie = new Cookie("secret", "fakesecret"); // GOOD: set 'secure' flag cookie.setSecure(true); response.addCookie(cookie); } }
References¶
SEI CERT Oracle Coding Standard for Java: SER03-J. Do not serialize unencrypted, sensitive data.
Java Platform, Enterprise Edition (Java EE) 7, API Specification: Class Cookie.
Common Weakness Enumeration: CWE-614.