Session Cookie Accessible for Subdomains

Impact: Low

Description

When the Domain attribute is present in the Set-Cookie header, browsers send the cookie to any subdomains of the specified domain. This can result in unintended data exposure and potential security risks, particularly if sensitive information is stored in the cookie.

Recommendation

To restrict cookie access to the current domain only, remove the Domain attribute from the Set-Cookie header. This ensures that the cookie is not accessible to subdomains, thereby reducing the risk of data leakage.

References

CWE-16
MDN Web Docs: Set-Cookie
Mozilla: Using HTTP cookies
OWASP 2021-A5

👉 You might also like:

Cookie Accessible for Subdomains - Vulnerability

Session Cookie without HttpOnly Flag - Vulnerability

Session Cookie without SameSite Flag - Vulnerability

Session Cookie without Secure Flag - Vulnerability

Last updated on May 13, 2024

Session Cookie Accessible for Subdomains

Description

Recommendation

References

Use SmartScanner Free version to test for this issue