‘Secure’ attribute is not set to true — CodeQL query help documentation
CodeQL docs
‘Secure’ attribute is not set to true
ID: rust/insecure-cookie
Kind: path-problem
Security severity: 7.5
Severity: error
Precision: high
Tags:
- security
- external/cwe/cwe-319
- external/cwe/cwe-614
Query suites:
- rust-code-scanning.qls
- rust-security-extended.qls
- rust-security-and-quality.qls
Click to see the query in the CodeQL repository
Failing to set the ‘Secure’ attribute on a cookie allows it to be transmitted over an unencrypted (HTTP) connection. If an attacker can observe a user’s network traffic, they can access sensitive information in the cookie and potentially use it to impersonate the user.
Recommendation
Always set the cookie ‘Secure’ attribute so that the browser only sends the cookie over HTTPS.
Example
The following example creates a cookie using the cookie crate without the ‘Secure’ attribute:
use cookie::Cookie;
// BAD: creating a cookie without specifying the `secure` attribute
let cookie = Cookie::build(("session", "abcd1234")).build();
let mut jar = cookie::CookieJar::new();
jar.add(cookie.clone());
In the fixed example, we either call secure(true) on the CookieBuilder or set_secure(true) on the Cookie itself:
use cookie::Cookie;
// GOOD: set the `CookieBuilder` 'Secure' attribute so that the cookie is only sent over HTTPS
let secure_cookie = Cookie::build(("session", "abcd1234")).secure(true).build();
let mut jar = cookie::CookieJar::new();
jar.add(secure_cookie.clone());
// GOOD: alternatively, set the 'Secure' attribute on an existing `Cookie`
let mut secure_cookie2 = Cookie::new("session", "abcd1234");
secure_cookie2.set_secure(true);
jar.add(secure_cookie2);
References