Secure cookie implementation

Did a quick penetration test over for my locally hosted nextcloud server and recieved as medium-secure server result due secure cookies were not enabled )risk description bottom). Are there any plans to implement secure cookies or we need to that at web server level ?

There is a nice article at how to implement web-server while i was wondering if there are any future implementations on roadmap that might conflict with webserver config.

Risk description:
Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel (plain HTTP) if such a request is made. Thus, the risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will steal the cookie of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim’s web session.

We recommend reconfiguring the web server in order to set the flag(s) Secure to all sensitive cookies.

More information about this issue:

Openvas also complains about that and gives a “medium” warning:


The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.
Vulnerability Detection Result

The cookies:

Set-Cookie: 45342agfd4=replaced; path=/; HttpOnly

are missing the “secure” attribute.


Solution type: Mitigation Mitigation

Set the ‘secure’ attribute for any cookies that are sent over a SSL/TLS connection.
Affected Software/OS

Server with SSL/TLS.
Vulnerability Insight

The flaw is due to cookie is not using ‘secure’ attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks.

Impact Level: Application
Vulnerability Detection Method

Details: SSL/TLS: Missing secure Cookie Attribute (OID:

Version used: $Revision: 5543 $



SameSiteCookieMiddleware.php that implements this feature but somehow not working for me.

	protected function setSameSiteCookie() {
		$cookieParams = $this->request->getCookieParams();
		$secureCookie = ($cookieParams['secure'] === true) ? 'secure; ' : '';
		$policies = [
		// Append __Host to the cookie if it meets the requirements
		$cookiePrefix = '';
		if($cookieParams['secure'] === true && $cookieParams['path'] === '/') {
			$cookiePrefix = '__Host-';

I thought this was implemented as well as _host flag if nc is not in sub dir.

Did this issue found it’s way to github to get quick dev attention?

i have a dedicated domain and not running in any subdomain or subidr.
Thanks for github suggestion, i’ve just raised as an issue there

1 Like