Information Exposure Through Persistent Cookies

scala.cookie.scala_cookie_rule_cookieinsecure

Severity

low

Resource

Language

Scala

Description

"A new cookie is created without the Secure flag set. The Secure flag is a directive to the browser to make sure that the cookie is not sent for insecure communication (http://)"

Rationale

"A new cookie is created without the Secure flag set. The Secure flag is a directive to the browser to make sure that the cookie is not sent for insecure communication (http://)"

The following code illustrates a vulnerable pattern detected by this rule:

def danger(res: HttpServletResponse): Unit = {
  // VULNERABLE: Information Exposure Through Persistent Cookies
  val cookie = new Cookie("key", "value")
  cookie.setHttpOnly(true)
  cookie.setMaxAge(60)
  // VULNERABLE: Information Exposure Through Persistent Cookies
  cookie.setSecure(false) // danger

  res.addCookie(cookie)
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-539
OWASP Top 10 2021 - A01 : Broken Access Control.