A new cookie is created without the Secure flag set to true. The Secure flag is a browser directive that prevents the cookie from being transmitted over insecure connections (http://).

Bad Practice

Cookie cookie = new Cookie("userName",userName);
response.addCookie(cookie);

Recommended

Always ensure that the Secure flag is set when creating the cookie.

Cookie cookie = new Cookie("userName",userName);
cookie.setSecure(true); // Secure flag
cookie.setHttpOnly(true);

It is also possible to ensure that this is enforced through the servlet web.xml configuration, like so (this is specific to the Servlet 3.0 API):

<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="3.0">
[...]
<session-config>
 <cookie-config>
  <http-only>true</http-only>
  <secure>true</secure>
 </cookie-config>
</session-config>
</web-app>

References

CWE-200 - Information Exposure
CWE-201 - Insertion of Sensitive Information Into Sent Data
CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE-319 - Cleartext Transmission of Sensitive Information
OWASP - Secure Flag
OWASP Top Ten (2021) - Category A05 - Security Misconfiguration
OWASP Top Ten (2021) - Category A07 - Identification and Authentication Failures
FindSecBugs - INSECURE_COOKIE

deepsourcestatus / test-repository

No ignore rules found