# Flask Insecure Session Configuration

- ID: flask-session-security
- Severity: MEDIUM
- CWE: Sensitive Cookie Without Secure Flag (CWE-614)
- Languages: Python
- Frameworks: flask

## Description

Detects insecure Flask session configuration that can lead to session hijacking
or tampering. Sessions should use secure cookies and strong secret keys.

## Remediation

Load SECRET_KEY from environment and enable secure cookie settings.

```python
import os

app.config['SECRET_KEY'] = os.environ['SECRET_KEY']
app.config['SESSION_COOKIE_SECURE'] = True
app.config['SESSION_COOKIE_HTTPONLY'] = True
app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
```

Learn more: https://shoulder.dev/learn/python/cwe-614/session-security

## Documentation

[object Object]

## Related Rules

- **Insecure Cookie Configuration** [MEDIUM]: