CWE-1004βSensitive Cookie Without 'HttpOnly' Flag
PUBLISHEDweakness recordMedium
released 2017-01-19 Β· last modified 2026-04-30
Metadata
- CWE ID:
- CWE-1004
- Abstraction:
- Variant
- Structure:
- Simple
- Status:
- Incomplete
- Release Date:
- 2017-01-19
- Latest Modification Date:
- 2026-04-30
Weakness Name
Sensitive Cookie Without 'HttpOnly' Flag
Description
The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
Common Consequences
- Scope:
- Confidentiality
- Impact:
- Read Application Data
- Notes:
- If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.
- Scope:
- Integrity
- Impact:
- Gain Privileges or Assume Identity
- Notes:
- If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.