PTKDMobile App Security
Knowledge base / PTKD-DYN-INSECURE-COOKIE
low M5 MASVS-NETWORK-1 dynamic analysis PTKD-DYN-INSECURE-COOKIE

Session cookie without Secure/HttpOnly

A cookie was set without the Secure (or HttpOnly) attribute, exposing it to cleartext transmission or script access.

How it's exploited

A session cookie was set without Secure and/or HttpOnly. Without Secure it can travel over plaintext; without HttpOnly any script in that web context (XSS, injected page) reads it.

Why it matters

Session hijacking via network capture or script access to the cookie.

How to fix it

  1. Set Secure; HttpOnly; SameSite on session cookies at the server.
  2. This is a backend fix; redeploy and re-run the scan to confirm it clears.

References