Cookies with missing, inconsistent or contradictory properties
Description
The application sets one or more HTTP cookies with configuration properties that are invalid, mutually contradictory, or incompatible with the deployment environment. Common issues include conflicting Secure and SameSite attributes, invalid cookie prefix usage, or domain/path misconfigurations. While not directly exploitable, these misconfigurations prevent cookies from functioning as intended, potentially degrading security controls that depend on proper cookie behavior.
Remediation
Review and correct all cookie configuration issues identified in the scan results. Ensure that:
- Secure attribute: Set the Secure flag on all cookies transmitted over HTTPS to prevent transmission over unencrypted connections
- SameSite attribute: Use appropriate SameSite values (Strict, Lax, or None) based on your cross-site requirements. If using SameSite=None, the Secure flag must also be set
- Cookie prefixes: If using __Secure- or __Host- prefixes, ensure all required attributes are present (__Secure- requires Secure flag; __Host- requires Secure flag, no Domain attribute, and Path=/)
- Domain and Path: Verify that Domain and Path attributes match your application's deployment configuration
Example of properly configured session cookie:
Set-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=Strict; Path=/; Max-Age=3600
Example with __Host- prefix for enhanced security:
Set-Cookie: __Host-sessionId=abc123; Secure; HttpOnly; SameSite=Strict; Path=/; Max-Age=3600
Consult the referenced standards documentation to ensure full compliance with cookie specifications for your target browsers.