---
title: Set Secure Flag On Session Cookies
impact: HIGH
impactDescription: prevents cookie theft over unencrypted connections
tags: cookies, secure, https, session, security, kotlin
---

## Set Secure Flag On Session Cookies

Without the `Secure` flag, browser cookies can be transmitted over unencrypted HTTP connections, where they can be easily intercepted by attackers (Man-in-the-Middle).

**Incorrect (no Secure flag):**

```kotlin
// Raw Ktor response
call.response.cookies.append("session", token) // No flags set!

// Spring Boot / Servlet
val cookie = Cookie("session", token)
response.addCookie(cookie) // Secure flag defaults to false
```

**Correct (Secure flag set):**

```kotlin
// Ktor
call.response.cookies.append(
    name = "session",
    value = token,
    secure = true,       // HTTPS only
    httpOnly = true,
    extensions = mapOf("SameSite" to "Strict")
)

// Spring Boot / Servlet
val cookie = Cookie("session", token).apply {
    isSecure = true      // HTTPS only
    isHttpOnly = true
    path = "/"
}
response.addCookie(cookie)

// Spring Boot Application Configuration (application.properties)
// server.servlet.session.cookie.secure=true
```

**Validation:**
- In production, always ensure `secure = true`.
- For local development without HTTPS, this may need to be configurable but must be enabled by default for all deployed environments.

**Tools:** OWASP ZAP, SonarQube, Manual Security Audit, Browser DevTools
