Detections
Analytics

Web Application Session Cookies Not Marked Secure

medium Nessus Plugin ID 49218

Language:

Synopsis

HTTP session cookies may be transmitted in cleartext.

Description

The remote web application uses cookies to track authenticated users. However, there are instances where the application is running over unencrypted HTTP or the cookie(s) are not marked 'secure', meaning the browser could send them back over an unencrypted link under certain circumstances.

As a result, it may be possible for a remote attacker to intercept these cookies.

Solution

- Host the web application on a server that only provides SSL (HTTPS).

- Mark all cookies as 'secure'.

See Also

http://www.nessus.org/u?1c015bda

Plugin Details

Severity: Medium

ID: 49218

File Name: http_insecure_session_cookie.nasl

Version: 1.11

Type: remote

Family: Web Servers

Published: 9/14/2010

Updated: 11/15/2018

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Reference Information

CWE: 522, 718, 724, 928, 930