Cookie session without 'Secure' flag

Published on
04 Jul 2018
2 min read
Cookies Attributes

Cookies are used to manage state, handle logins or to track you for advertising purposes and should be kept safe. The process involved in setting cookie are:-

  1. The server asks the browser to set a cookie.
  2. It gives a name, value and other parameters.
  3. Browser stores the data in disk or memory. This feature depends on the cookie type.

When an HTTP protocol is used for communication between client and server, the data traffic is sent in plaintext. An HHTP allows the attacker to see/modify the traffic using a Man-In-The-Middle attack (MITM). HTTPS is a secure version of HTTP. This protocol uses SSL/TLS to protect the data in the application layer. HTTPS is used for better authentication and data integrity. A secure flag is set by the application server while sending a new cookie to the user using an HTTP Response. The secure flag is used to prevent cookies from being observed and manipulated by an unauthorized party or parties. This is because the cookie is sent as a normal text. A browser will not send a cookie with the secure flag that is sent over an unencrypted HTTP request. That is, by setting the secure flag the browser will prevent/stop the transmission of a cookie over an unencrypted channel.


Using this vulnerability, an attacker can:-

  • redirect the user to a malicious site to steal information/data.
  • show user false data which will, in turn, affect the credibility of the website.

Mitigation / Precaution

Beagle recommends the following fixes:-

Add the following code In the element.

        <httpCookies requireSSL="true" />


add requireSSL=”true” to the form’s element as well.

        <authentication mode="Forms">
        <forms requireSSL="true">
        /* forms content */ </forms>



In PHP, this can be implemented in 3 ways

Method - 1: By using the ini_set function

        1 ini_set("session.cookie_secure", 1);


Method - 2: By using session_set_cookie_params function:

        1 session_set_cookie_params(0, NULL, NULL, TRUE, NULL);


Method - 3: By using the setcookie function

        1 setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.