Skip to main content


Secure Cookies: How to enable secure session cookies and set application cookies as secure



Secure Cookies: How to enable secure session cookies and set application cookies as secure


Cookies may contain sensitive information that shouldn’t be accessible to an attacker eavesdropping a channel. To ensure that cookies aren’t transmitted in clear text, it’s possible to send them with a secure flag.

Well behaviored web browsers which support the secure flag will only send cookies with the secure flag when the request is going through HTTPS, which means that by setting the secure flag for a cookie, the browser will prevent its transmission over an unencrypted channel.

The unsecure cookies issue is commonly raised in penetration test reports performed on OutSystems applications if the environment they are running on is missing some simple configurations. The next sections contain instructions on how to secure both session and application cookies.

Secure session cookies

Session cookies store information about a user session after the user logs in to an application. This information is very sensitive, since a session cookie can be used by an attacker to impersonate the victim (see more about Session Hijacking).

You can easily configure an OutSystems environment to have secure session cookies. To do that, you can install the OutSystems supported component Factory Configuration, available at the OutSystems Forge.

After installing Factory Configuration, access the application and, under the Platform Configurations tab, you can find the option to enable secure session cookies:

Important note: Remember that having the secure flag, session cookies will only be sent through HTTPS. Therefore, to prevent unexpected behavior with user sessions, when activating secure session cookies, you should also force HTTPS for all screens. By enabling the Improved Application Security option, you’ll have access to additional security configurations for your environment on Service Center and Lifetime, which will allow, not only to force HTTPS for web screens but also for web references:

This option is enabled by default in OutSystems 10 and it’s available for OutSystems 9.1 since revision patch 9.1.600.0.

Secure application cookies

When setting a custom cookie in an application, you can append “; secure” to the cookie value to force a secure flag. Here's an example from Service Studio: