CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
- Abstraction:Variant
- Structure:Simple
- Status:Draft
- Release Date:2007-05-07
- Latest Modification Date:2025-09-09
Weakness Name
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Description
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Common Consequences
Scope: Confidentiality
Impact: Read Application Data
Notes: Omitting the secure flag makes it possible for the user agent to send the cookies in plaintext over an HTTP session.