Session Cookie Accessible for Subdomains
Impact: Low
Description
When the Domain
attribute is present in the Set-Cookie
header, browsers send the cookie to any subdomains of the specified domain. This can result in unintended data exposure and potential security risks, particularly if sensitive information is stored in the cookie.
Recommendation
To restrict cookie access to the current domain only, remove the Domain
attribute from the Set-Cookie
header. This ensures that the cookie is not accessible to subdomains, thereby reducing the risk of data leakage.
References
👉 You might also like:
Cookie Accessible for Subdomains - Vulnerability
Session Cookie without HttpOnly Flag - Vulnerability
Session Cookie without SameSite Flag - Vulnerability
Session Cookie without Secure Flag - Vulnerability
Last updated on May 13, 2024