Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
ID |
scala.cookie.scala_cookie_rule_cookieusage |
Severity |
low |
Resource |
Cookie |
Language |
Scala |
Description
The information stored in a custom cookie should not be sensitive or related to the session. In most cases, sensitive data should only be stored in session and referenced by the user’s session cookie.
Rationale
The information stored in a custom cookie should not be sensitive or related to the session. In most cases, sensitive data should only be stored in session and referenced by the user’s session cookie.
The following code illustrates a vulnerable pattern detected by this rule:
class CookieUsage {
@Override
@throws[ServletException]
@throws[IOException]
protected def doGet(req: HttpServletRequest, resp: HttpServletResponse): Unit = {
for (cookie <- req.getCookies) {
// VULNERABLE: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
cookie.getName
// VULNERABLE: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
cookie.getValue
// VULNERABLE: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
cookie.getPath
}
}
def getCookieName(req: HttpServletRequest) = {
val c: Cookie = req.getCookies.head
c.getName
}
}Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A01 : Broken Access Control.