# Permissive cookie configuration

## Overview

* **Rule ID**: `java_lang_permissive_cookie_config`
* **Applicable Languages**: Java
* **Weakness ID**: CWE-693

## Description

Overly permissive cookie settings can make your application vulnerable to security risks, including unauthorized access and exploits.

## Remediation Guidelines

* **Avoid** setting the cookie's max age to -1, as this causes the cookie to persist until the browser session ends, posing a security risk.

  ```java
  Cookie cookie = new Cookie("name", "value");
  cookie.setMaxAge(-1); // unsafe

  ```
* **Avoid** setting the cookie's path to "/", which makes the cookie accessible to all paths in the domain and increases security risks.

  ```java
  Cookie cookie = new Cookie("name", "value");
  cookie.setPath("/"); // unsafe 

  ```
* **Instead, set** a limited maximum age for cookies to control their lifespan effectively.

  ```java
  Cookie cookie = new Cookie("name", "value");
  cookie.setMaxAge(3000);

  ```
* **Restrict** the cookie's path to specific parts of your application to enhance security by limiting its exposure.

  ```java
  Cookie cookie = new Cookie("name", "value");
  cookie.setPath("/my-cookie-path");
  ```

## References

* [**CWE-693: Protection Mechanism Failure**](https://cwe.mitre.org/data/definitions/693.html)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)