logo

Database

Javascript Session Cookie Secure False

Description

Detects insecure session cookie configurations in Express.js applications where cookies are not set with the 'secure' flag. When session cookies lack the secure flag, they can be transmitted over unencrypted HTTP connections, potentially exposing session data to interception attacks.

Weakness:

130 - Insecurely generated cookies - Secure

Category: Access Subversion

Detection Strategy

    Identifies usage of 'express-session' module in the code

    Checks the configuration object passed to express-session middleware

    Reports a vulnerability when either:

    - No configuration object is provided to express-session

    - The configuration object sets cookie.secure to false or omits it

Vulnerable code example

const express = require('express');
const session = require('express-session');
const app = express();

// Vulnerable: Missing httpOnly:true and using secure:false allows cookie theft
app.use(session({
  resave: false,
  saveUninitialized: true,...

✅ Secure code example

const express = require('express');
const session = require('express-session');
const app = express();

// Secure: httpOnly prevents XSS access, secure ensures HTTPS-only transmission
app.use(session({
  resave: false,
  saveUninitialized: true,...