Configuration Management / Duplicate Cookies Set

Description

Duplicate cookies set, also known as CWE-614, is a configuration management vulnerability that occurs in web and API applications. It occurs when two or more cookies are set with the same name and different values, resulting in different responses from the server. This vulnerability can be exploited to hijack a user's session, potentially leading to the disclosure or modification of sensitive data. The OWASP Testing Guide provides guidance on identifying and mitigating this vulnerability.

Risk

Duplicate cookies set is a high-risk vulnerability that can lead to the compromise of user data. The severity of the risk depends on the type of data that can be accessed and the impact that the data can have on the users.

Solution

The best way to mitigate the risk of this vulnerability is to ensure that only one cookie is set per name. This can be done by using a single cookie for each user session and ensuring that the value of the cookie is unique. Additionally, the cookie expiration time should be set to a reasonable amount of time, so that the cookie is not valid for too long.