Failure to use secure cookies¶
ID: java/insecure-cookieKind: problemSecurity severity: 5.0Severity: errorPrecision: highTags: - security - external/cwe/cwe-614Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
Failing to set the ‘secure’ flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.
Recommendation¶
Always usesetSecure to set the ‘secure’ flag on a cookie before adding it to anHttpServletResponse.
Example¶
This example shows two ways of adding a cookie to anHttpServletResponse. The first way leaves out the setting of the ‘secure’ flag; the second way includes the setting of the flag.
publicstaticvoidtest(HttpServletRequestrequest,HttpServletResponseresponse){{Cookiecookie=newCookie("secret","fakesecret");// BAD: 'secure' flag not setresponse.addCookie(cookie);}{Cookiecookie=newCookie("secret","fakesecret");// GOOD: set 'secure' flagcookie.setSecure(true);response.addCookie(cookie);}}
References¶
SEI CERT Oracle Coding Standard for Java:SER03-J. Do not serialize unencrypted, sensitive data.
Java Platform, Enterprise Edition (Java EE) 7, API Specification:Class Cookie.
Common Weakness Enumeration:CWE-614.