- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Unsecured Session Cookie attacks take advantage of session cookies that can be observed by unauthorized parties because they are being transmitted in clear text. If the session cookie doesn’t have the secure attribute enabled, it is not encrypted between the client and the server, and this means the cookie is exposed to Unsecured Session Cookie hacking and abuse.
The secure flag is an additional flag you can set to instruct the browser to send this cookie only when on encrypted HTTPS transmissions (i.e., never send the cookie on unencrypted HTTP transmissions). This ensures that your session cookie is not visible to an attacker in, for instance, a man-in-the-middle attack.