S02 Insecure Session Cookies

What this means

SiteShadow flagged session cookies that are missing recommended security flags or are configured in a way that makes session theft or abuse easier.

Why it matters

Missing flags can enable session theft or cross-site request abuse.

• Without HttpOnly: XSS can read the cookie and take over accounts.
• Without Secure: cookies can leak over non-TLS connections.
• Without SameSite: cross-site requests can more easily carry session cookies (CSRF risk).

Safer examples

1) Set secure flags (Express)

res.cookie("session", token, {
  httpOnly: true,
  secure: true,
  sameSite: "lax",
});

2) Set secure flags (Flask)

app.config.update(
    SESSION_COOKIE_HTTPONLY=True,
    SESSION_COOKIE_SECURE=True,
    SESSION_COOKIE_SAMESITE="Lax",
)

3) Prefer short-lived sessions + rotation

• Short session TTLs for high-risk actions.
• Rotate session identifiers after login and privilege changes.

How SiteShadow detects it (high level)

• Recognizes cookie-setting APIs and checks for missing/unsafe flags.
• Flags cases where session cookies are set without HttpOnly/Secure and without an explicit SameSite.

References

• OWASP Session Management: https://owasp.org/www-project-cheat-sheets/cheatsheets/Session_Management_Cheat_Sheet.html

---

← Back to Vulnerability Library