scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Session cookie Secure flag is explicitly disabled. The secure flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the Secure flag by setting secure to true in configuration file.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: conf-insecure-cookie-settings
    patterns:
      - pattern: secure = false
      - pattern-inside: |
          session = {
            ...
          }
    message: Session cookie `Secure` flag is explicitly disabled. The `secure` flag
      for cookies prevents the client from transmitting the cookie over insecure
      channels such as HTTP. Set the `Secure` flag by setting `secure` to `true`
      in configuration file.
    languages:
      - generic
    severity: WARNING
    paths:
      include:
        - "*.conf"
    metadata:
      category: security
      references:
        - https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security
        - https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration
      technology:
        - play
        - scala
      cwe:
        - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
      owasp:
        - A05:2021 - Security Misconfiguration
      confidence: MEDIUM
      subcategory:
        - vuln
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cookie Security

Examples

conf-insecure-cookie-settings.conf

# This is the main configuration file for the application.
# ~~~~~

# Secret key
# ~~~~~
# The secret key is used to secure cryptographics functions.
play.http.secret.key = "changeme"

# The application languages
# ~~~~~
play.i18n.langs = [ "en" ]

# Disable default filters
play.filters.enabled = [ ]

play.modules {
  enabled += "startup.StartupModule"
}

play.server.server-header = "Play2"

# Session configuration
session = {

  cookieName = "PLAY_SESSION"
  
  maxAge = null

  httpOnly = true

  sameSite = "lax"

  domain = null

  path = ${play.http.context}

  # ruleid: conf-insecure-cookie-settings
  secure = false

  jwt {
    signatureAlgorithm = "HS256"

    expiresAfter = ${play.http.session.maxAge}

    clockSkew = 5 minutes

    dataClaim = "data"
  }
}

# Session configuration 2
session = {

  cookieName = "PLAY_SESSION"
  
  maxAge = null

  httpOnly = true

  sameSite = "lax"

  domain = null

  path = ${play.http.context}

  # ok: conf-insecure-cookie-settings
  secure = true

  jwt {
    signatureAlgorithm = "HS256"

    expiresAfter = ${play.http.session.maxAge}

    clockSkew = 5 minutes

    dataClaim = "data"
  }
}