Cookie Without Secure Flag

A cookie has been set without the Secure attribute, which instructs the browser to only transmit the cookie over encrypted HTTPS connections. Without this flag, the browser may send the cookie in plain text over unencrypted HTTP requests. This affects any cookie carrying sensitive information such as session identifiers, authentication tokens, or user preferences.

When the Secure flag is missing, an attacker performing a man-in-the-middle attack on an unencrypted connection can intercept the cookie value in transit. If the intercepted cookie is a session token, the attacker can hijack the user’s authenticated session and gain unauthorized access to the application. Even on sites primarily served over HTTPS, a single HTTP request is enough to expose the cookie if the flag is not set.

Set the Secure attribute on all cookies that contain sensitive information or serve as session identifiers. This ensures the browser never sends them over an unencrypted connection.

Verify that the entire application is served over HTTPS so that the Secure flag does not prevent normal cookie delivery. Redirect all HTTP traffic to HTTPS to eliminate any path where cookies could be transmitted in clear text.

Consider also setting the HttpOnly attribute to prevent client-side scripts from accessing the cookie, and the SameSite attribute to restrict cross-site cookie transmission. These complementary flags strengthen session cookie protection against XSS and CSRF attacks.