Insecure Cookie Vulnerabilities

Learn how to prevent insecure cookie vulnerabilities with real code examples and best practices. Protect your web applications from cookie-based security threats.

Tools recognizing this:

Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What are Insecure Cookies and How Do They Work?

Insecure cookies are a significant web security vulnerability that occurs when cookies containing sensitive information are transmitted without proper security attributes. When cookies are set without security flags, they become vulnerable to various attacks, including:

Man-in-the-middle attacks
Cookie theft through XSS
Session hijacking
Cookie sniffing over unsecured networks
Cross-site request forgery (CSRF)

This guide covers insecure cookie vulnerabilities, examples, prevention methods, and how to implement secure cookies using real-world techniques.

Consider this basic example of setting a cookie:

Cookie cookie = new Cookie("sessionId", sessionValue);
response.addCookie(cookie);

This cookie is vulnerable because it:

- Lacks the Secure flag (can be transmitted over HTTP) - Lacks the HttpOnly flag (can be accessed via JavaScript) - Doesn't specify SameSite attribute (vulnerable to CSRF)

The most effective way to fix insecure cookie issues is to set appropriate security attributes when creating cookies. Essential security attributes include:

Secure flag: Ensures cookies are only transmitted over HTTPS
HttpOnly flag: Prevents JavaScript access to cookies
SameSite attribute: Controls how cookies are sent in cross-site requests
Appropriate expiration time
Path and domain restrictions

Code Samples

Vulnerable Code

Cookie cookie = new Cookie("sessionId", sessionValue);

Fixed Code

Cookie cookie = new Cookie("sessionId", sessionValue);
cookie.setSecure(true);
cookie.setHttpOnly(true);
cookie.setMaxAge(3600);
cookie.setPath("/");
response.addCookie(cookie);

Fix Explanation

The vulnerable code creates a cookie without any security attributes.The fix adds essential security flags: Secure and HttpOnly.Sets appropriate expiration time and path restrictions.Modern frameworks may also support SameSite attribute configuration.

Vulnerable Code

res.cookie('sessionId', sessionValue);

Fixed Code

res.cookie('sessionId', sessionValue, {
    secure: true,
    httpOnly: true,
    sameSite: 'strict',
    maxAge: 3600000,
    path: '/'
});

Fix Explanation

The vulnerable code sets a cookie without security options.The fix includes all necessary security attributes.Uses secure, httpOnly, and sameSite flags.Sets appropriate maxAge and path restrictions.

Vulnerable Code

response.set_cookie('sessionId', session_value)

Fixed Code

response.set_cookie(
    'sessionId',
    session_value,
    secure=True,
    httponly=True,
    samesite='Strict',
    max_age=3600,
    path='/'
)

Fix Explanation

The vulnerable code sets a cookie without security parameters.The fix adds all necessary security attributes.Includes secure, httponly, and samesite flags.Sets appropriate max_age and path restrictions.

Vulnerable Code

Response.Cookies.Append("sessionId", sessionValue);

Fixed Code

var options = new CookieOptions
{
    Secure = true,
    HttpOnly = true,
    SameSite = SameSiteMode.Strict,
    MaxAge = TimeSpan.FromHours(1),
    Path = "/"
};
Response.Cookies.Append("sessionId", sessionValue, options);

Fix Explanation

The vulnerable code creates a cookie without security options.The fix uses CookieOptions to set security attributes.Includes Secure, HttpOnly, and SameSite flags.Sets appropriate MaxAge and Path restrictions.

Vulnerable Code

setcookie("sessionId", $sessionValue);

Fixed Code

setcookie(
    "sessionId",
    $sessionValue,
    [
        'expires' => time() + 3600,
        'path' => '/',
        'secure' => true,
        'httponly' => true,
        'samesite' => 'Strict'
    ]
);

Fix Explanation

The vulnerable code sets a cookie without security options.The fix includes an array of security attributes.Sets secure, httponly, and samesite flags.Includes appropriate expiration time and path restrictions.

Vulnerable Code

cookies[:session_id] = session_value

Fixed Code

cookies[:session_id] = {
  value: session_value,
  secure: true,
  httponly: true,
  same_site: :strict,
  expires: 1.hour.from_now,
  path: '/'
}

Fix Explanation

The vulnerable code sets a cookie without security options.The fix includes a hash of security attributes.Uses secure, httponly, and same_site flags.Sets appropriate expiration time and path restrictions.

Need more help in preventing Insecure Cookies?

Mobb supports fixing many forms of Insecure Cookie vulnerabilities, and can mitigate your issues in batch.

Start now for free at app.mobb.ai

We'd love your feedback!

We're excited to hear your thoughts and ideas about fixing vulnerabilities.

Book a meeting or Contact us if you have any corrections, questions or suggestions. Start now for free at https://app.mobb.ai

PreviousHTTP Response Splitting Attacks NextInsecure Randomness

Last updated 8 months ago

Was this helpful?

Tools recognizing this:

What are Insecure Cookies and How Do They Work?

One Simple Insecure Cookie Example

Insecure Cookie Prevention Methods: How to Fix Your Code

Code Samples

Need more help in preventing Insecure Cookies?

We'd love your feedback!