Insecure Cookie Configuration
Session cookies are missing the Secure, HttpOnly, or SameSite attributes, exposing them to theft via XSS, MITM, or CSRF.
What is Insecure Cookie Configuration?
Cookies that authenticate users (session cookies, JWT tokens, CSRF tokens) must have three security attributes: Secure (only sent over HTTPS), HttpOnly (not accessible via JavaScript — prevents XSS theft), and SameSite=Lax or Strict (prevents CSRF). Without these, cookies can be stolen via XSS, intercepted over HTTP, or sent on cross-site requests.
Why It Matters to Your Business
Insecure cookies enable account takeover via XSS (steal cookies with document.cookie), session hijacking over HTTP, and CSRF attacks. For e-commerce and SaaS sites, this can lead to mass account compromise.
How to Fix It
Set all three attributes on every Set-Cookie:
Set-Cookie: session_id=abc123; Secure; HttpOnly; SameSite=Lax; Path=/; Max-Age=3600
In Laravel (config/session.php):
'secure' => env('SESSION_SECURE_COOKIE', true),
'http_only' => true,
'same_site' => 'lax',
In PHP (php.ini):
session.cookie_secure = 1
session.cookie_httponly = 1
session.cookie_samesite = "Lax"
In Express.js:
app.use(session({ cookie: { secure: true, httpOnly: true, sameSite: 'lax' }}))
Technical Classification
| OWASP Category | A05:2021 — Security Misconfiguration |
| CWE ID | CWE-1004: Sensitive Cookie Without HttpOnly |
| Detected By | cookies scanner(s) |
| Severity Level | high |
How 2MNY Security Can Help
Check if your website has this vulnerability
Our cookies scanner checks for this issue automatically.
Scan My Website FreeRelated Vulnerabilities
Missing HSTS Header
The HTTP Strict Transport Security (HSTS) header is missing, allowing browsers to silently downgrade HTTPS connections to HTTP.
Missing Content-Security-Policy Header
No Content-Security-Policy (CSP) header is set, leaving the site vulnerable to cross-site scripting (XSS) and data injection attacks.
Missing X-Frame-Options Header (Clickjacking)
The X-Frame-Options header is missing, allowing your site to be embedded in iframes on malicious sites (clickjacking attacks).
CORS Misconfiguration
The server reflects arbitrary Origin headers with credentials, allowing any website to make authenticated cross-origin requests.