Cookie session without 'Secure' flag

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 CAPEC-102 CWE-614 ISO27001-A.14.1.2 WASC-15 WSTG-SESS-02

Cookies are used to manage state, handle logins or to track you for advertising purposes and should be kept safe. The process involved in setting cookie are:-

  1. The server asks the browser to set a cookie.
  2. It gives a name, value and other parameters.
  3. Browser stores the data in disk or memory. This feature depends on the cookie type.

When an HTTP protocol is used for communication between client and server, the data traffic is sent in plaintext. An HHTP allows the attacker to see/modify the traffic using a Man-In-The-Middle attack (MITM). HTTPS is a secure version of HTTP. This protocol uses SSL/TLS to protect the data in the application layer. HTTPS is used for better authentication and data integrity. A secure flag is set by the application server while sending a new cookie to the user using an HTTP Response. The secure flag is used to prevent cookies from being observed and manipulated by an unauthorized party or parties. This is because the cookie is sent as a normal text. A browser will not send a cookie with the secure flag that is sent over an unencrypted HTTP request. That is, by setting the secure flag the browser will prevent/stop the transmission of a cookie over an unencrypted channel.


Using this vulnerability, an attacker can:-

  • redirect the user to a malicious site to steal information/data.
  • show user false data which will, in turn, affect the credibility of the website.

Mitigation / Precaution

Beagle recommends the following fixes:-

Add the following code In the element.

        <httpCookies requireSSL="true" />


add requireSSL=”true” to the form’s element as well.

        <authentication mode="Forms">
        <forms requireSSL="true">
        /* forms content */ </forms>



In PHP, this can be implemented in 3 ways

Method - 1: By using the ini_set function

        1 ini_set("session.cookie_secure", 1);


Method - 2: By using session_set_cookie_params function:

        1 session_set_cookie_params(0, NULL, NULL, TRUE, NULL);


Method - 3: By using the setcookie function

        1 setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);


Related Articles