What do we analyze?
Cookies store sensitive information like session tokens. If not properly configured, an attacker can steal them and impersonate the legitimate user.
Verified Flags
Secure Flag
The cookie is only sent over HTTPS, never on unencrypted connections.
HttpOnly Flag
The cookie is not accessible from JavaScript, protecting it from XSS.
SameSite Attribute
Controls if the cookie is sent in cross-site requests, preventing CSRF.
Expiration Time
Verification that session cookies do not persist indefinitely.
Why is it important?
A stolen session cookie allows an attacker to access the user's account without knowing their password. Attacks like XSS or network sniffing can capture misconfigured cookies.
Impact if it fails
- Session hijacking
- Unauthorized access to user accounts
- Identity theft
- Personal data compromise
Potential Penalties
| Company Type | Indicative Fine |
|---|---|
| Microenterprise | 5,000 - 30,000 € |
| SME | 30,000 - 200,000 € |
| Large Enterprise | Up to 10M € or 2% turnover |