SiteShadow
Back to vulnerability library
Detected byRegex rules + pattern checksFree

S02 Insecure Session Cookies

What this means

SiteShadow flagged session cookies that are missing recommended security flags or are configured in a way that makes session theft or abuse easier.

Why it matters

Missing flags can enable session theft or cross-site request abuse.

Safer examples

1) Set secure flags (Express)

res.cookie("session", token, {
  httpOnly: true,
  secure: true,
  sameSite: "lax",
});

2) Set secure flags (Flask)

app.config.update(
    SESSION_COOKIE_HTTPONLY=True,
    SESSION_COOKIE_SECURE=True,
    SESSION_COOKIE_SAMESITE="Lax",
)

3) Prefer short-lived sessions + rotation

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this in your code with the free tier.

SiteShadow's free tier covers this exact pattern across the 23 OWASP Top 10 single-file checks. Sign in with your work SSO, first-time sign-in auto-issues your free license.