CWE-614 Insecure Cookie in HTTPS Session

What this means

SiteShadow flagged session cookies that are missing secure attributes (like Secure, HttpOnly, and a safe SameSite) even though the session is used over HTTPS.

Why it matters

• Missing cookie flags can lead to session theft and cross-site request abuse.
• A stolen session cookie can mean full account takeover until the session expires or is revoked.

Safer examples

1) Set Secure, HttpOnly, and SameSite

res.cookie("session", token, {
  httpOnly: true,
  secure: true,
  sameSite: "lax",
});

2) Rotate sessions on login and privilege changes

If a session is stolen, rotation reduces the window and prevents fixation.

3) Prefer short sessions + revocation

Give users/admins the ability to revoke sessions, and use reasonable expirations (see TOK01).

How SiteShadow detects it (high level)

• Detects cookie-setting APIs and flags missing Secure/HttpOnly/SameSite.
• Prioritizes cookies that look like session/auth tokens.

References

• CWE-614: https://cwe.mitre.org/data/definitions/614.html

---

← Back to Vulnerability Library