Application Security Terminology

Glossary

Unsecured Session Cookie

Unsecured Session Cookie attacks take advantage of session cookies that can be observed by unauthorized parties because they are being transmitted in clear text. If the session cookie doesn’t have the secure attribute enabled, it is not encrypted between the client and the server, and this means the cookie is exposed to Unsecured Session Cookie hacking and abuse.

Session cookies are used to perform session management for web applications. These cookies hold the reference to the session identifier for a given user, and the same identifier is maintained server-side along with any session-scoped data related to that session id. Because cookies are transmitted on every request, they are the most common mechanism used for session management in web applications.

The secure flag is an additional flag you can set to instruct the browser to send this cookie only when on encrypted HTTPS transmissions (i.e., never send the cookie on unencrypted HTTP transmissions). This ensures that your session cookie is not visible to an attacker in, for instance, a man-in-the-middle attack.