Skip to main content

Insecurely generated cookies


The system does not set security attributes for sensitive cookies, which could cause them to be sent in plain text or disclosed by unauthorized users on the client side.


Send plain text session cookies through insecure channels.


The application must set the corresponding security attributes when cookies are generated.


Anonymous attacker from the Internet.

Expected Remediation Time

⌚ 15 minutes.


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: N
  • Attack complexity: H
  • Privileges required: N
  • User interaction: R
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N


  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: X


  • Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:X
  • Score:
    • Base: 4.2
    • Temporal: 3.8
  • Severity:
    • Base: Medium
    • Temporal: Low

Code Examples

Compliant code

using System.Net;
using System;

namespace cookies {
public class CookieExample {
public static void Main(string[] args) {
var secure_cookie = new HttpCookie(key , value);
secure_cookie.Expires = DateTime.Now.AddDays(expireDay);
secure_cookie.HttpOnly = true;
secure_cookie.Secure = true;

Non compliant code

Incorrectly configured cookie settings

using System.Net;
using System;

namespace cookies{
public class CookieExample{
public static void Main(string[] args) {
var insecure_cookie = new HttpCookie(key , value);
insecure_cookie.Expires = DateTime.Now.AddDays(expireDay);
insecure_cookie.HttpOnly = true;

var insecure = new HttpCookie(key , value);