Web Application Session Cookies Not Marked Secure

This script is Copyright (C) 2010-2015 Tenable Network Security, Inc.

Synopsis :

HTTP session cookies may be transmitted in cleartext.

Description :

The remote web application uses cookies to track authenticated users.
However, there are instances where the application is running over
unencrypted HTTP or the cookie(s) are not marked 'secure', meaning
the browser could send them back over an unencrypted link under
certain circumstances.

As a result, it may be possible for a remote attacker to intercept
these cookies.

See also :


Solution :

- Host the web application on a server that only provides SSL (HTTPS).

- Mark all cookies as 'secure'.

Risk factor :

Medium / CVSS Base Score : 4.3

Family: Web Servers

Nessus Plugin ID: 49218 (http_insecure_session_cookie.nasl)

Bugtraq ID:


Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial