The Secure attribute for sensitive cookies in HTTPS sessions is not set.
View on MITREOmitting the secure flag makes it possible for the user agent to send the cookies in plaintext over an HTTP session.
Always set the secure attribute when the cookie should be sent via HTTPS only.
No detection method information available for this CWE.
The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true).
A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product.
View DetailsA product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
View DetailsA product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
View DetailsA product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
View DetailsCWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The Secure attribute for sensitive cookies in HTTPS sessions is not set.
If exploited, CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
Recommended mitigations for CWE-614 include: Always set the secure attribute when the cookie should be sent via HTTPS only.
MITRE documents real CVEs mapped to CWE-614, including CVE-2004-0462, CVE-2008-3663, CVE-2008-3662 and CVE-2008-0128. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-614 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.