Weakness reference
CWE-614

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

This weakness occurs when a web application sets a sensitive cookie such as a session token or authentication credential over HTTPS but fails to include the…

01Summary

This weakness occurs when a web application sets a sensitive cookie (such as a session token or authentication credential) over HTTPS but fails to include the Secure attribute. Without this flag, the browser may transmit the cookie over unencrypted HTTP connections, exposing it to interception. Even if your site uses HTTPS, a downgrade attack or user navigation to an HTTP version can leak the cookie to an attacker on the network.

02How It Happens

When a cookie is set without the Secure attribute, the browser treats it as safe to send over both encrypted (HTTPS) and unencrypted (HTTP) connections. An attacker on the same network can intercept HTTP traffic and capture the cookie. This is especially dangerous if the user is redirected to an HTTP page, visits an HTTP link from your domain, or falls victim to a protocol downgrade attack (such as SSL stripping). The vulnerability is compounded when the cookie contains authentication tokens, session IDs, or other sensitive data that could grant an attacker access to the user's account.

03Real-World Impact

An attacker positioned on the network (such as on a shared WiFi network) can passively capture sensitive cookies transmitted over HTTP and use them to impersonate the user. This can lead to account takeover, unauthorized access to user data, or privilege escalation if the cookie grants administrative rights. Even a brief moment of HTTP exposure—such as a misconfigured redirect or a user manually typing http:// instead of https://—is enough for an attacker to harvest the cookie and maintain access to the account.

04Vulnerable & Fixed Patterns

Vulnerable pattern
from flask import Flask, make_response

app = Flask(__name__)

@app.route('/login', methods=['POST'])
def login():
    user = authenticate_user(request.form['username'], request.form['password'])
    response = make_response("Login successful")
    response.set_cookie('session_token', user.token)
    return response

Why it's vulnerable:
The cookie is set without the Secure attribute, so the browser will send it over HTTP if the user is downgraded or redirected to an unencrypted connection.

Fixed pattern
from flask import Flask, make_response

app = Flask(__name__)

@app.route('/login', methods=['POST'])
def login():
    user = authenticate_user(request.form['username'], request.form['password'])
    response = make_response("Login successful")
    response.set_cookie('session_token', user.token, secure=True, httponly=True, samesite='Strict')
    return response
Vulnerable pattern
<?php
session_start();
$_SESSION['user_id'] = $user_id;
setcookie('auth_token', $token, time() + 3600, '/', '.example.com');
?>

Why it's vulnerable:
The cookie is set without the secure parameter, allowing it to be transmitted over HTTP connections.

Fixed pattern
<?php
session_start();
$_SESSION['user_id'] = $user_id;
setcookie('auth_token', $token, [
    'expires' => time() + 3600,
    'path' => '/',
    'domain' => '.example.com',
    'secure' => true,
    'httponly' => true,
    'samesite' => 'Strict'
]);
?>

05Prevention Checklist

Always set the Secure attribute on cookies containing authentication tokens, session IDs, or other sensitive data.
Pair Secure with HttpOnly to prevent JavaScript from accessing the cookie, and SameSite to mitigate CSRF attacks.
Configure your web server to redirect all HTTP traffic to HTTPS and set the Strict-Transport-Security (HSTS) header to prevent downgrade attacks.
Audit existing cookies in your application; use browser developer tools or security scanners to identify cookies missing the Secure flag.
Test your application over both HTTP and HTTPS to verify that sensitive cookies are never transmitted unencrypted.
Document your cookie policy and include it in code review checklists to catch new instances during development.

06Signs You May Already Be Affected

Review your application's Set-Cookie headers in HTTP responses (visible in browser developer tools or proxy logs). If you see cookies with sensitive values (session tokens, authentication credentials) that lack Secure; HttpOnly; SameSite=... attributes, your application is vulnerable. Additionally, check your web server logs for unusual session activity or multiple login attempts from different IP addresses, which may indicate cookie theft.

07Related Recent Vulnerabilities