Overview
HTTP cookies are the primary mechanism web applications use to maintain state — most critically, authenticated sessions. RFC 6265 defines several optional cookie attributes that restrict how and when browsers transmit or expose cookie values. Two of the most security-critical attributes are:
- Secure — instructs the browser to transmit the cookie only over HTTPS connections, preventing exposure over unencrypted HTTP.
- HttpOnly — prevents client-side JavaScript from accessing the cookie value via
document.cookie, mitigating cookie theft through Cross-Site Scripting (XSS).
When either attribute is absent on a sensitive cookie (e.g., a session identifier), the attack surface for session hijacking expands significantly. Sensagraph automatically detects missing Secure and HttpOnly flags on cookies set by scanned applications.
How it works
Missing Secure flag: If a session cookie is issued without the Secure attribute, the browser will include it in both HTTP and HTTPS requests. An on-path attacker (e.g., on an open Wi-Fi network) performing a passive intercept or an SSL-stripping attack (HTTPS downgrade) can capture the cookie in plaintext, even if the origin server exclusively serves HTTPS.
Missing HttpOnly flag: Without the HttpOnly attribute, any JavaScript executing in the page context — including injected malicious scripts from an XSS vulnerability — can read the cookie value using document.cookie and exfiltrate it to an attacker-controlled server. This is the canonical post-exploitation step in XSS-based session hijacking.
- A
Set-Cookieheader such asSet-Cookie: sessionid=abc123; Path=/is insecure — it lacks both flags. - The secure version is:
Set-Cookie: sessionid=abc123; Path=/; Secure; HttpOnly; SameSite=Strict. - The
SameSiteattribute (Lax or Strict) is a complementary control that mitigates Cross-Site Request Forgery (CSRF) but does not replace Secure or HttpOnly. - Cookies set over HTTP cannot retroactively become Secure cookies — the flag must be present in the original
Set-Cookieresponse header. - Third-party or analytics cookies lacking HttpOnly also expose user tracking identifiers to script injection attacks.
Business impact
Exploitation of insecurely configured cookies can lead to full account takeover if the affected cookie carries a session token or authentication credential. Specific consequences include:
- Session hijacking: An attacker who obtains a valid session cookie can impersonate the authenticated user without needing their password.
- Privilege escalation: If an administrative session cookie is captured, the attacker gains the highest level of access to the application.
- Regulatory exposure: Session data is often considered personal data under GDPR, CCPA, and similar regulations. Inadequate cookie security can constitute a failure to implement appropriate technical safeguards, resulting in fines and mandatory breach notification.
- Reputational damage: Account takeover incidents erode user trust and may require public disclosure depending on jurisdiction.
- PCI DSS non-compliance: Applications handling payment card data are required under PCI DSS Requirement 6 to protect session management mechanisms, including cookie security.
How to fix it
- Set the Secure flag on all sensitive cookies. Ensure every cookie that carries a session identifier, authentication token, or any sensitive value is issued with the
Secureattribute. This must be combined with enforcing HTTPS across the entire application (use HSTS —Strict-Transport-Security). - Set the HttpOnly flag on all session and authentication cookies. Unless a cookie value genuinely needs to be read by client-side JavaScript (rare and generally avoidable by design), apply
HttpOnlyto prevent script access. - Add the SameSite attribute. Set
SameSite=Strictfor session cookies where cross-site requests are not required, orSameSite=Laxas a minimum baseline. AvoidSameSite=Noneunless necessary (and it requiresSecure). - Audit cookie issuance centrally. Use framework-level or middleware-level cookie configuration rather than setting attributes per-response. Most frameworks provide a global session cookie configuration (e.g.,
SESSION_COOKIE_SECUREandSESSION_COOKIE_HTTPONLYin Django;cookie: { secure: true, httpOnly: true }in Express/connect sessions). - Scope cookies with Path and Domain. Restrict cookies to the narrowest necessary path and domain to limit exposure if another subdomain is compromised.
- Implement Content Security Policy (CSP). A robust CSP reduces the risk of XSS, which is the primary attack vector that benefits from a missing HttpOnly flag. This is a defence-in-depth measure, not a substitute for HttpOnly.
- Rotate and expire cookies appropriately. Issue cookies with explicit
Max-AgeorExpiresvalues; issue new session cookies upon privilege changes (login, role change) and invalidate old ones server-side. - Test using automated and manual review. Inspect all
Set-Cookieheaders in HTTP responses, including those from third-party integrations and CDN edge layers, to confirm flags are consistently applied.
References
- RFC 6265 – HTTP State Management Mechanism (IETF)
- OWASP – Secure Cookie Attribute
- OWASP – HttpOnly Cookie Attribute
- OWASP Session Management Cheat Sheet
- CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (MITRE)
- CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag (MITRE)
- HTTP Cookies – MDN Web Docs
- Set-Cookie HTTP Header – MDN Web Docs
- OWASP Top 10 A02:2021 – Cryptographic Failures