Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • What are Insecure Cookies and How Do They Work?
  • One Simple Insecure Cookie Example
  • Insecure Cookie Prevention Methods: How to Fix Your Code
  • Code Samples
  • Need more help in preventing Insecure Cookies?
  • We'd love your feedback!

Was this helpful?

  1. Fixing Guides

Insecure Cookie Vulnerabilities

Learn how to prevent insecure cookie vulnerabilities with real code examples and best practices. Protect your web applications from cookie-based security threats.

Tools recognizing this:

Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What are Insecure Cookies and How Do They Work?

Insecure cookies are a significant web security vulnerability that occurs when cookies containing sensitive information are transmitted without proper security attributes. When cookies are set without security flags, they become vulnerable to various attacks, including:

  • Man-in-the-middle attacks

  • Cookie theft through XSS

  • Session hijacking

  • Cookie sniffing over unsecured networks

  • Cross-site request forgery (CSRF)

This guide covers insecure cookie vulnerabilities, examples, prevention methods, and how to implement secure cookies using real-world techniques.

One Simple Insecure Cookie Example

Consider this basic example of setting a cookie:

Cookie cookie = new Cookie("sessionId", sessionValue);
response.addCookie(cookie);

This cookie is vulnerable because it:

- Lacks the Secure flag (can be transmitted over HTTP) - Lacks the HttpOnly flag (can be accessed via JavaScript) - Doesn't specify SameSite attribute (vulnerable to CSRF)

Insecure Cookie Prevention Methods: How to Fix Your Code

The most effective way to fix insecure cookie issues is to set appropriate security attributes when creating cookies. Essential security attributes include:

  • Secure flag: Ensures cookies are only transmitted over HTTPS

  • HttpOnly flag: Prevents JavaScript access to cookies

  • SameSite attribute: Controls how cookies are sent in cross-site requests

  • Appropriate expiration time

  • Path and domain restrictions

Code Samples

Vulnerable Code

Cookie cookie = new Cookie("sessionId", sessionValue);

Fixed Code

Cookie cookie = new Cookie("sessionId", sessionValue);
cookie.setSecure(true);
cookie.setHttpOnly(true);
cookie.setMaxAge(3600);
cookie.setPath("/");
response.addCookie(cookie);

Fix Explanation

The vulnerable code creates a cookie without any security attributes.The fix adds essential security flags: Secure and HttpOnly.Sets appropriate expiration time and path restrictions.Modern frameworks may also support SameSite attribute configuration.

Vulnerable Code

res.cookie('sessionId', sessionValue);

Fixed Code

res.cookie('sessionId', sessionValue, {
    secure: true,
    httpOnly: true,
    sameSite: 'strict',
    maxAge: 3600000,
    path: '/'
});

Fix Explanation

The vulnerable code sets a cookie without security options.The fix includes all necessary security attributes.Uses secure, httpOnly, and sameSite flags.Sets appropriate maxAge and path restrictions.

Vulnerable Code

response.set_cookie('sessionId', session_value)

Fixed Code

response.set_cookie(
    'sessionId',
    session_value,
    secure=True,
    httponly=True,
    samesite='Strict',
    max_age=3600,
    path='/'
)

Fix Explanation

The vulnerable code sets a cookie without security parameters.The fix adds all necessary security attributes.Includes secure, httponly, and samesite flags.Sets appropriate max_age and path restrictions.

Vulnerable Code

Response.Cookies.Append("sessionId", sessionValue);

Fixed Code

var options = new CookieOptions
{
    Secure = true,
    HttpOnly = true,
    SameSite = SameSiteMode.Strict,
    MaxAge = TimeSpan.FromHours(1),
    Path = "/"
};
Response.Cookies.Append("sessionId", sessionValue, options);

Fix Explanation

The vulnerable code creates a cookie without security options.The fix uses CookieOptions to set security attributes.Includes Secure, HttpOnly, and SameSite flags.Sets appropriate MaxAge and Path restrictions.

Vulnerable Code

setcookie("sessionId", $sessionValue);

Fixed Code

setcookie(
    "sessionId",
    $sessionValue,
    [
        'expires' => time() + 3600,
        'path' => '/',
        'secure' => true,
        'httponly' => true,
        'samesite' => 'Strict'
    ]
);

Fix Explanation

The vulnerable code sets a cookie without security options.The fix includes an array of security attributes.Sets secure, httponly, and samesite flags.Includes appropriate expiration time and path restrictions.

Vulnerable Code

cookies[:session_id] = session_value

Fixed Code

cookies[:session_id] = {
  value: session_value,
  secure: true,
  httponly: true,
  same_site: :strict,
  expires: 1.hour.from_now,
  path: '/'
}

Fix Explanation

The vulnerable code sets a cookie without security options.The fix includes a hash of security attributes.Uses secure, httponly, and same_site flags.Sets appropriate expiration time and path restrictions.

Need more help in preventing Insecure Cookies?

We'd love your feedback!

We're excited to hear your thoughts and ideas about fixing vulnerabilities.

PreviousHTTP Response Splitting AttacksNextInsecure Randomness

Last updated 2 months ago

Was this helpful?

supports fixing many forms of Insecure Cookie vulnerabilities, and can mitigate your issues in batch.

Start now for free at

or if you have any corrections, questions or suggestions. Start now for free at https://app.mobb.ai

Mobb
app.mobb.ai
Book a meeting
Contact us