CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Omitting the secure flag makes it possible for the user agent to send the cookies in plaintext over an HTTP session.
Mitigation Strategies
Phase
Description
Always set the secure attribute when the cookie should be sent via HTTPS only.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true).
Observed CVE Examples (4)
A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product.
View DetailsA product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
View DetailsA product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
View DetailsA product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
View DetailsCWE Relationships
Frequently Asked Questions
What is CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute?+
CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The Secure attribute for sensitive cookies in HTTPS sessions is not set.
What are the security consequences of Sensitive Cookie in HTTPS Session Without 'Secure' Attribute?+
If exploited, CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
How do you prevent or mitigate Sensitive Cookie in HTTPS Session Without 'Secure' Attribute?+
Recommended mitigations for CWE-614 include: Always set the secure attribute when the cookie should be sent via HTTPS only.
What are real-world examples of Sensitive Cookie in HTTPS Session Without 'Secure' Attribute?+
MITRE documents real CVEs mapped to CWE-614, including CVE-2004-0462, CVE-2008-3663, CVE-2008-3662 and CVE-2008-0128. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-614 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.