Java Cookie Secure Flag False
Description
Detects when Spring Framework's CookieGenerator is configured without the secure flag or with secure=false. Missing or disabled secure flags allow cookies to be transmitted over unencrypted HTTP connections, potentially exposing sensitive session data to network attackers.
Detection Strategy
• Identifies instances where CookieGenerator objects are created in Spring applications
• Reports a vulnerability if setCookieSecure() method is never called on the CookieGenerator instance
• Reports a vulnerability if setCookieSecure() is called with an explicit 'false' parameter
• Checks the entire scope where the CookieGenerator is used to determine if secure flag is properly set
Vulnerable code example
import org.springframework.web.util.CookieGenerator;
import javax.servlet.http.HttpServletResponse;
public class InsecureCookieExample {
public void createInsecureCookie(HttpServletResponse response) {
CookieGenerator cookieGen = new CookieGenerator();
cookieGen.setCookieName("sessionId");
// Vulnerable: Cookie created without secure flag, can be transmitted over HTTP...✅ Secure code example
import org.springframework.web.util.CookieGenerator;
import javax.servlet.http.HttpServletResponse;
public class SecureCookieExample {
public void createSecureCookie(HttpServletResponse response) {
CookieGenerator cookieGen = new CookieGenerator();
cookieGen.setCookieName("sessionId");
cookieGen.setCookieSecure(true); // Ensure cookie is only sent over HTTPS...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.