CodeQL documentation

Failure to use secure cookies

ID: py/insecure-cookie
Kind: problem
Security severity: 5.0
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-614
   - external/cwe/cwe-1004
   - external/cwe/cwe-1275
Query suites:
   - python-code-scanning.qls
   - python-security-extended.qls
   - python-security-and-quality.qls

Click to see the query in the CodeQL repository

Cookies without the Secure flag set may be transmitted using HTTP instead of HTTPS, which leaves them vulnerable to reading by a third party.

Cookies without the HttpOnly flag set are accessible to JavaScript running in the same origin. In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script.

Cookies with the SameSite attribute set to 'None' will be sent with cross-origin requests, which can be controlled by third-party JavaScript code and allow for Cross-Site Request Forgery (CSRF) attacks.

Recommendation

Always set secure to True or add “; Secure;” to the cookie’s raw value.

Always set httponly to True or add “; HttpOnly;” to the cookie’s raw value.

Always set samesite to Lax or Strict, or add “; SameSite=Lax;”, or “; Samesite=Strict;” to the cookie’s raw header value.

Example

In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the cases marked BAD they are not set.

from flask import Flask, request, make_response, Response


@app.route("/good1")
def good1():
    resp = make_response()
    resp.set_cookie("name", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
    return resp


@app.route("/good2")
def good2():
    resp = make_response()
    resp.headers['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set 
    return resp

@app.route("/bad1")
    resp = make_response()
    resp.set_cookie("name", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
    return resp

References

  • © GitHub, Inc.
  • Terms
  • Privacy