/vulndb/Session Cookie not Flagged as Secure

This flag applies to the Set-Cookie HTTP response header to indicate that the cookie cannot be sent by the browser over insecure channel such as HTTP.

An attacker may be able to wiretap the communication between client and server to steal users cookies. The stolen cookies can be used to perform session hijacking attacks.

Solution

It is recommended to enforce the “Secure” flag on cookies designed to be used exclusively over SSL (HTTPS). This will ensure that session information is always communicated securely.

Caveats

Even if the “Secure” flag is used it may still be possible to hijack the session trough a MITM (Man in the Middle) attack if parts of the web application are not delivered over SSL.

References

http://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie