Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

scala.cookie.scala_cookie_rule_cookiepersistent

Severity

low

Resource

Language

Scala

Description

"Storing sensitive data in a persistent cookie for an extended period can lead to a breach of confidentiality or account compromise."

Rationale

"Storing sensitive data in a persistent cookie for an extended period can lead to a breach of confidentiality or account compromise."

The following code illustrates a vulnerable pattern detected by this rule:

def danger(res: HttpServletResponse): Unit = {
  val cookie = new Cookie("key", "value")
  cookie.setSecure(true)
  cookie.setHttpOnly(true)
  // VULNERABLE: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
  cookie.setMaxAge(31536000) // danger

  res.addCookie(cookie)
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-614
OWASP Top 10 2021 - A01 : Broken Access Control.