‘Secure’ attribute is not set to true¶
ID: rust/insecure-cookieKind: path-problemSecurity severity: 7.5Severity: errorPrecision: highTags: - security - external/cwe/cwe-319 - external/cwe/cwe-614Query suites: - rust-code-scanning.qls - rust-security-extended.qls - rust-security-and-quality.qls
Click to see the query in the CodeQL repository
Failing to set the ‘Secure’ attribute on a cookie allows it to be transmitted over an unencrypted (HTTP) connection. If an attacker can observe a user’s network traffic, they can access sensitive information in the cookie and potentially use it to impersonate the user.
Recommendation¶
Always set the cookie ‘Secure’ attribute so that the browser only sends the cookie over HTTPS.
Example¶
The following example creates a cookie using thecookie crate without the ‘Secure’ attribute:
usecookie::Cookie;// BAD: creating a cookie without specifying the `secure` attributeletcookie=Cookie::build(("session","abcd1234")).build();letmutjar=cookie::CookieJar::new();jar.add(cookie.clone());
In the fixed example, we either callsecure(true) on theCookieBuilder orset_secure(true) on theCookie itself:
usecookie::Cookie;// GOOD: set the `CookieBuilder` 'Secure' attribute so that the cookie is only sent over HTTPSletsecure_cookie=Cookie::build(("session","abcd1234")).secure(true).build();letmutjar=cookie::CookieJar::new();jar.add(secure_cookie.clone());// GOOD: alternatively, set the 'Secure' attribute on an existing `Cookie`letmutsecure_cookie2=Cookie::new("session","abcd1234");secure_cookie2.set_secure(true);jar.add(secure_cookie2);
References¶
MDN Web Docs:Using HTTP cookies.
OWASP Cheat Sheet Series:Session Management Cheat Sheet - Transport Layer Security.
MDN Web Docs:Set-Cookie header - Secure.
Common Weakness Enumeration:CWE-319.
Common Weakness Enumeration:CWE-614.