‘Secure’ attribute is not set to true¶
ID: rust/insecure-cookie
Kind: path-problem
Security severity: 7.5
Severity: error
Precision: high
Tags:
- security
- external/cwe/cwe-319
- external/cwe/cwe-614
Query suites:
- rust-code-scanning.qls
- rust-security-extended.qls
- rust-security-and-quality.qls
Click to see the query in the CodeQL repository
Failing to set the ‘Secure’ attribute on a cookie allows it to be transmitted over an unencrypted (HTTP) connection. If an attacker can observe a user’s network traffic, they can access sensitive information in the cookie and potentially use it to impersonate the user.
Recommendation¶
Always set the cookie ‘Secure’ attribute so that the browser only sends the cookie over HTTPS.
Example¶
The following example creates a cookie using the cookie crate without the ‘Secure’ attribute:
use cookie::Cookie;
// BAD: creating a cookie without specifying the `secure` attribute
let cookie = Cookie::build(("session", "abcd1234")).build();
let mut jar = cookie::CookieJar::new();
jar.add(cookie.clone());
In the fixed example, we either call secure(true) on the CookieBuilder or set_secure(true) on the Cookie itself:
use cookie::Cookie;
// GOOD: set the `CookieBuilder` 'Secure' attribute so that the cookie is only sent over HTTPS
let secure_cookie = Cookie::build(("session", "abcd1234")).secure(true).build();
let mut jar = cookie::CookieJar::new();
jar.add(secure_cookie.clone());
// GOOD: alternatively, set the 'Secure' attribute on an existing `Cookie`
let mut secure_cookie2 = Cookie::new("session", "abcd1234");
secure_cookie2.set_secure(true);
jar.add(secure_cookie2);
References¶
MDN Web Docs: Using HTTP cookies.
OWASP Cheat Sheet Series: Session Management Cheat Sheet - Transport Layer Security.
MDN Web Docs: Set-Cookie header - Secure.
Common Weakness Enumeration: CWE-319.
Common Weakness Enumeration: CWE-614.