ProductsBook A DemoContact Us

Permissive cookie configuration

Overview

  • Rule ID: java_lang_permissive_cookie_config

  • Applicable Languages: Java

  • Weakness ID: CWE-693

Description

Overly permissive cookie settings can make your application vulnerable to security risks, including unauthorized access and exploits.

Remediation Guidelines

  • Avoid setting the cookie's max age to -1, as this causes the cookie to persist until the browser session ends, posing a security risk.

    Cookie cookie = new Cookie("name", "value");
cookie.setMaxAge(-1); // unsafe

  • Avoid setting the cookie's path to "/", which makes the cookie accessible to all paths in the domain and increases security risks.

    Cookie cookie = new Cookie("name", "value");
cookie.setPath("/"); // unsafe

  • Instead, set a limited maximum age for cookies to control their lifespan effectively.

    Cookie cookie = new Cookie("name", "value");
cookie.setMaxAge(3000);

  • Restrict the cookie's path to specific parts of your application to enhance security by limiting its exposure.

    Cookie cookie = new Cookie("name", "value");
cookie.setPath("/my-cookie-path");

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousPermissive context mode for resourcesNextPermissive HTTP Only option in cookie configuration

Last updated