A cookie is created without the secure
flag set to true
.
Modern web browsers support a secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.
Example: In the example below, a cookie added to the response without setting the Secure
property.
...
HttpCookie cookie = new HttpCookie("emailCookie", email);
Response.AppendCookie(cookie);
...
secure
flag, cookies set during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A9 Insecure Communications
[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A9 Insufficient Transport Layer Protection
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[5] Mike Perry Automated HTTPS Cookie Hijacking
[6] Standards Mapping - FIPS200 - (FISMA) CM, SC
[7] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 614
[8] HttpCookie Class Microsoft
[9] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 4.1, Requirement 6.5.10
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 4.1, Requirement 6.5.4