Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2092

Creating cookies without the "secure" flag is security-sensitive

    XMLWordPrintable

    Details

    • Message:
      Make sure creating this cookie without the "secure" flag is safe.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C++, Objective-C, VB.Net
    • Covered Languages:
      C#, Java, JavaScript, PHP, Python
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Level:
      Semantic Analysis
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-614, CWE-311, CWE-315
    • OWASP:
      A3
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      INSECURE_COOKIE

      Description

      When a cookie is protected with the secure attribute set to true it will not be send by the browser over an unencrypted HTTP request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.

      Ask Yourself Whether

      • the cookie is for instance a session-cookie not designed to be sent over non-HTTPS communication.
      • it's not sure that the website contains mixed content or not (ie HTTPS everywhere or not)

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • It is recommended to use HTTPs everywhere so setting the secure flag to true should be the default behaviour when creating cookies.
      • Set the secure flag to true for session-cookies.

      See

        Attachments

          Issue Links

          is implemented by

          New Feature - A new feature of the product, which has yet to be developed. SONARSLANG-467 [kotlin] Rule 2092: Creating cookies without the "secure" flag is security-sensitive

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. SONARJAVA-780 Rule: Cookies should be secure

          • Major - Major loss of function.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. SONARPHP-635 Rule S2092: Cookies should be "secure"

          • Major - Major loss of function.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. SONARPY-489 Rule S2092: Creating cookies without the "secure" flag is security-sensitive

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. SONARJAVA-2768 FN S2092: new Cookie("name", "value")

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. SONARJAVA-3100 FN on Rule S2092: Update the implementation to raise on cookie instantiation and setSecure

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. SONARPHP-934 [S2092] & [S3330] Bad flags on cookies not detected correctly

          • Major - Major loss of function.
          • Closed
          is related to

          Improvement - An improvement or enhancement to an existing feature or task. SONARJAVA-3096 S2068, S2092, S2115 and S3330 are not able to resolve variable latest assigned values anymore

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. SONARJAVA-3500 Support latest version of Play framework in S3330 and S2092

          • Major - Major loss of function.
          • Closed

          False Negative - True issue, expected to be covered by a rule, but ultimately not reported SONARPY-577 Fix FN on S2092: setting a cookie without secure flag

          • Major - Major loss of function.
          • Open

          False-Positive - Unexpected issue reported by a rule SONARJAVA-3107 Rule S2092: False Positive on SavedCookie

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. SONARJAVA-2767 Rule S2092: support more Cookie types

          • Major - Major loss of function.
          • Closed
          links to

          Web Link is implemented by sonar-csharp/issues/1292

          Web Link is implemented by SonarJS/issues/1789

          1.
          		 PHP RSPEC-3761 Language-Specification Active Unassigned
          2.
          		 C# RSPEC-4556 Language-Specification Active Unassigned
          3.
          		 Java RSPEC-4557 Language-Specification Active Unassigned
          4.
          		 Python RSPEC-5551 Language-Specification Active Unassigned
          5.
          		 Kotlin RSPEC-5576 Language-Specification Active Unassigned
          6.
          		 JavaScript RSPEC-5678 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated: