What it is
When a customer logs in, your store sets a cookie in their browser that keeps them signed in. Three small flags decide how safely that cookie is handled. Secure sends it only over HTTPS, HttpOnly stops page scripts from reading it, and SameSite limits when other sites can send it along. Without them, the session cookie is easier to read, copy, or reuse.
How common it is
Three in five audited stores (61%) set these flags on their cookies. The audit reads the headers your store sends and checks each cookie for Secure, HttpOnly, and SameSite. A store can run fully on HTTPS and still fail, because the padlock encrypts the connection while these flags govern how the cookie behaves once it is on the device.
Why it costs you
A session cookie stands in for the password once someone is logged in. If a customer’s cookie has no HttpOnly flag, a single injected script on the page can read it and send it elsewhere, and whoever receives it is logged in as that customer with no password needed. Without the Secure flag, the same cookie can leak over an unencrypted request on public Wi-Fi. If the stolen cookie is an admin’s, that one cookie hands over the whole store. The flags cost nothing to add and close that path before it opens.
Check it in 30 seconds
In your browser, open Developer Tools, go to the Application or Storage tab, and look at the cookies for your site. The session cookie, often named PHPSESSID or sessionid, should show Secure, HttpOnly, and SameSite set. If those columns are blank, the cookie is being handled with none of its safety on.
Read next: Ecommerce Security: The Losses You Don’t See
Run the free audit to see whether your store’s login cookies carry their safety flags.