# Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)

The Secure attribute for sensitive cookies is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

- Prevalence: Medium 1 language covered
- Impact: Medium Review recommended
- Prevention: Documented 2 fix examples

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

If a cookie does not have the Secure flag, it will be sent over unencrypted HTTP connections. This exposes the cookie to interception by attackers on the network.

## Prevention

### Key Practices

- Use secure cookies and strong secret keys

### Python

Use strong SECRET_KEY from environment and enable secure cookie flags

Set Secure, HttpOnly, and SameSite flags on all session and authentication cookies

## Warning Signs

- [MEDIUM] insecure Flask session configuration that can lead to session hijacking
or tampering
- [MEDIUM] cookies set without httpOnly, secure, or sameSite flags

## Consequences

- Read Application Data
- Bypass Protection Mechanism

## Mitigations

- Set the Secure flag on all sensitive cookies
- Use HTTPS for all pages that handle sensitive data
- Also set HttpOnly and SameSite attributes

## Detection

- Total rules: 2
- Languages: python

## Rules by Language

### Python (2 rules)

- **Flask Insecure Session Configuration** [MEDIUM]: Detects insecure Flask session configuration that can lead to session hijacking
or tampering. Sessions should use secure cookies and strong secret keys.
  - Remediation: Load SECRET_KEY from environment and enable secure cookie settings.

```python
import os

app.config['SECRET_KEY'] = os.environ['SECRET_KEY']
app.config['SESSION_COOKIE_SECURE'] = True
app.config['SESSION_COOKIE_HTTPONLY'] = True
app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
```

Learn more: https://shoulder.dev/learn/python/cwe-614/session-security
- **Insecure Cookie Configuration** [MEDIUM]: Detects cookies set without httpOnly, secure, or sameSite flags. Missing
flags make cookies vulnerable to XSS, MITM, and CSRF attacks.
  - Remediation: Set secure, httponly, and samesite flags on all cookies.

```python
response.set_cookie(
    'session_id',
    value=token,
    secure=True,
    httponly=True,
    samesite='Strict'
)
```

Learn more: https://shoulder.dev/learn/python/cwe-614/insecure-cookie