Python Cookie Secure Set False
Description
Detects when cookies are configured without the secure flag set to True in Python web applications. Cookies without the secure flag can be transmitted over unencrypted HTTP connections, potentially exposing sensitive session data to network attackers who could intercept and steal cookie information.
Detection Strategy
• Identifies cookie-related function calls including 'set_cookie', 'AuthTktCookieHelper', and 'AuthTktAuthenticationPolicy'
• Examines the arguments passed to these cookie functions to check if the secure parameter is explicitly set to False or omitted
• Reports a vulnerability when cookies are configured without proper secure flag settings
• Specifically focuses on cookie configurations in Python web frameworks and authentication systems
Vulnerable code example
from pyramid.authentication import AuthTktAuthenticationPolicy
from starlette.responses import HTMLResponse
def set_insecure_cookie(response: HTMLResponse, token: str) -> HTMLResponse:
# Vulnerable: secure=False allows cookie transmission over HTTP
response.set_cookie(
key="auth_token",
value=token,...✅ Secure code example
from pyramid.authentication import AuthTktAuthenticationPolicy
from starlette.responses import HTMLResponse
def set_secure_cookie(response: HTMLResponse, token: str) -> HTMLResponse:
response.set_cookie(
key="auth_token",
value=token,
secure=True, # Require HTTPS for cookie transmission...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.