Permissive cookie configuration

Description

To make sure cookies don't open your application up to exploits or unauthorized access, don't use overly permissive cookie settings.

Remediations

❌ Do not set the cookie's max age to -1. This persists the cookie until the browser session ends and is a security risk.

❌ Do not set the cookie's path to "". This makes the cookie accessible to all paths in the domain. Such permissive cookie exposure is a security risk.

✅ Set limited max age and restrict the cookie's path

  Cookie cookie = new Cookie("name", "value");
cookie.setMaxAge(3000);
cookie.setPath("/my-cookie-path");

Associated CWE

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_permissive_cookie_config

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_permissive_cookie_config

Ready to take the next step? Learn more about Bearer Cloud.