When a cookie is protected with the secure attribute set to true it will not be send by the browser over an unencrypted HTTP
request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack. By default the secure flag is set to
false and so cookies can be stolen if a man-in-the-attack is performed.
secure flag is set to false secure flag is set to false You are at risk if you answered yes to any of those questions.
HTTPs everywhere so setting the secure flag to true should be the default behaviour
when creating cookies. secure flag to true for session / sensitive-security cookies. If you create a security-sensitive cookie in your JAVA code:
Cookie c = new Cookie(COOKIENAME, sensitivedata); c.setSecure(false); // Sensitive: a security-ensitive cookie is created with the secure flag set to false
By default the secure flag is set
to false:
Cookie c = new Cookie(COOKIENAME, sensitivedata); // Sensitive: a security-sensitive cookie is created with the secure flag not defined (by default set to false)
Cookie c = new Cookie(COOKIENAME, sensitivedata); c.setSecure(true); // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag set to true