Permissive cookie configuration

Rule ID: java_lang_permissive_cookie_config
Languages: java
Source: <a class="text-main dark:text-main-300 hover:underline" href="https://github.com/bearer/bearer-rules/blob/main/rules/java/lang/permissive_cookie_config.yml">permissive_cookie_config.yml

Description

Using overly permissive cookie settings can expose your application to security risks, such as unauthorized access or exploits.

Do not set the cookie's max age to -1. This persists the cookie until the browser session ends and is a security risk.
```
Cookie cookie = new Cookie("name", "value");
cookie.setMaxAge(-1); // unsafe
```
Do not set the cookie's path to "/". This makes the cookie accessible to all paths in the domain. Such permissive cookie exposure is a security risk.
```
Cookie cookie = new Cookie("name", "value");
cookie.setPath("/"); // unsafe
```
Do set a limited maximum age for cookies to control their lifespan effectively.
```
Cookie cookie = new Cookie("name", "value");
cookie.setMaxAge(3000);
```
Do restrict the cookie's path to limit its accessibility to specific parts of your application. This practice enhances security by reducing the cookie's exposure.
```
Cookie cookie = new Cookie("name", "value");
cookie.setPath("/my-cookie-path");
```

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_permissive_cookie_config

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_permissive_cookie_config