Failure to use secure cookies¶

ID: java/insecure-cookie
Kind: problem
Security severity: 4.0
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-614
Query suites:
   - java-code-scanning.qls
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Failing to set the ‘secure’ flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.

Recommendation¶

Always use setSecure to set the ‘secure’ flag on a cookie before adding it to an HttpServletResponse.

Example¶

This example shows two ways of adding a cookie to an HttpServletResponse. The first way leaves out the setting of the ‘secure’ flag; the second way includes the setting of the flag.

public static void test(HttpServletRequest request, HttpServletResponse response) {
	{
		Cookie cookie = new Cookie("secret", "fakesecret");
		
		// BAD: 'secure' flag not set
		response.addCookie(cookie);
	}

	{
		Cookie cookie = new Cookie("secret", "fakesecret");
		
		// GOOD: set 'secure' flag
		cookie.setSecure(true);
		response.addCookie(cookie);
	}
}

References¶

SEI CERT Oracle Coding Standard for Java: SER03-J. Do not serialize unencrypted, sensitive data.
Java Platform, Enterprise Edition (Java EE) 7, API Specification: Class Cookie.
Common Weakness Enumeration: CWE-614.

© GitHub, Inc.
Terms
Privacy