The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. 1000 699 Weakness ChildOf 311 888 Category ChildOf 895 Implementation Confidentiality Read application data Implementation Always set the secure attribute when the cookie should sent via HTTPS only. The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true). Java Cookie c = new Cookie(ACCOUNT_ID, acctID); response.addCookie(c); CVE-2004-0462 A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0462 CVE-2008-3663 A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3663 CVE-2008-3662 A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3662 CVE-2008-0128 A product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128 102 Anonymous Tool Vendor (under NDA) Sean Eidemiller Cigital 2008-07-01 added/updated demonstrative examples Eric Dalci Cigital 2008-07-01 updated Potential_Mitigations, Time_of_Introduction CWE Content Team MITRE 2008-09-08 updated Relationships, Taxonomy_Mappings CWE Content Team MITRE 2008-10-14 updated Observed_Examples CWE Content Team MITRE 2009-03-10 updated Name CWE Content Team MITRE 2009-05-27 updated Related_Attack_Patterns CWE Content Team MITRE 2011-06-01 updated Common_Consequences CWE Content Team MITRE 2012-05-11 updated Relationships CWE Content Team MITRE 2012-10-30 updated Potential_Mitigations Unset Secure Attribute for Sensitive Cookies in HTTPS Session