V50.2.1 (v4.0.3-3.4.1) - cookie secure attribute

[elarlang]

Current requirement, moved from V3.4.1 to V50.2.1 via #2410:

#	Description	L1	L2	L3	CWE
50.2.1	[MOVED FROM 3.4.1] Verify that cookie-based session tokens have the 'Secure' attribute set.	✓	✓	✓	614

As the requirement is now a general cookie security requirement, the wording must be non-session-cookie specific.

Proposal:

Verify that cookies have the 'Secure' attribute set.

Level: keep level 1

[elarlang]

Proposal update based on #2422 (comment) + #2422 (comment)

Verify that cookies have the 'Secure' attribute set, and if the '__Host-' prefix is not used for the cookie name, the '__Secure-' prefix must be used for the cookie name.

The reasons:

• Secure gives that browser is not allowed to send the cookie over http: connection
• __Secure- gives that it is not possible to write a cookie with the same name without a Secure flag (including over http: connection)

[tghosth]

Does every cookie need this or only sensitive cookies?

[elarlang]

It is the same question as "does every HTTP request need to use HTTPS or only sensitive ones"?

If we require "everything must be over HTTPS" then there is no reason to allow cookies to be sent over http:.

The risk per cookie content is for sure different.

[Sjord]

I suggest to make this requirement simply "all cookies must have the secure flag set", and then have a separate requirement for the cookie prefix.

[elarlang]

... and then have a separate requirement for the cookie prefix.

I prefer not, because:

• __Secure- is related to Secure - both are for sending the message to the browser, that "cookies only over HTTPS"
• __Secure- itself requires usage of Secure
• __Secure- we can require only, if it is not valid to require __Host- to be used

[tghosth]

Verify that cookies have the 'Secure' attribute set, and if the '__Host-' prefix is not used for the cookie name, the '__Secure-' prefix must be used for the cookie name.

Agree with this wording, I agree that I don't want more requirements out of this :)