Permissive cookie configuration

Overview

• Rule ID: java_lang_permissive_cookie_config

• Applicable Languages: Java

• Weakness ID: CWE-693

Description

Overly permissive cookie settings can make your application vulnerable to security risks, including unauthorized access and exploits.

Remediation Guidelines

• Avoid setting the cookie's max age to -1, as this causes the cookie to persist until the browser session ends, posing a security risk.

  Copy

  Cookie cookie = new Cookie("name", "value");
  cookie.setMaxAge(-1); // unsafe
  

• Avoid setting the cookie's path to "/", which makes the cookie accessible to all paths in the domain and increases security risks.

  Copy

  Cookie cookie = new Cookie("name", "value");
  cookie.setPath("/"); // unsafe 
  

• Instead, set a limited maximum age for cookies to control their lifespan effectively.

  Copy

  Cookie cookie = new Cookie("name", "value");
  cookie.setMaxAge(3000);
  

• Restrict the cookie's path to specific parts of your application to enhance security by limiting its exposure.

  Copy

  Cookie cookie = new Cookie("name", "value");
  cookie.setPath("/my-cookie-path");

References

• CWE-693: Protection Mechanism Failure

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL