Web Application Session Cookies Not Marked Secure

Medium Nessus Plugin ID 49218


HTTP session cookies may be transmitted in cleartext.


The remote web application uses cookies to track authenticated users. However, there are instances where the application is running over unencrypted HTTP or the cookie(s) are not marked 'secure', meaning the browser could send them back over an unencrypted link under certain circumstances.

As a result, it may be possible for a remote attacker to intercept these cookies.


- Host the web application on a server that only provides SSL (HTTPS).

- Mark all cookies as 'secure'.

See Also


Plugin Details

Severity: Medium

ID: 49218

File Name: http_insecure_session_cookie.nasl

Version: $Revision: 1.10 $

Type: remote

Family: Web Servers

Published: 2010/09/14

Modified: 2016/11/18

Dependencies: 44987

Risk Information

Risk Factor: Medium


Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Reference Information

CWE: 522, 718, 724, 928, 930