Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Message:
      Add the "HttpOnly" cookie attribute.
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Sensitive Code Example

      When the HttpCookie.HttpOnly property is set to false then the cookie can be accessed by client side code:

      HttpCookie myCookie = new HttpCookie("Sensitive cookie");
      myCookie.HttpOnly = false; // Sensitive: this cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability
      

      The default value of HttpOnly flag is false, unless overwritten by an application's configuration file:

      HttpCookie myCookie = new HttpCookie("Sensitive cookie"); 
      // Sensitive: this cookie is created without the httponly flag  (by default set to false) and so it can be stolen easily in case of XSS vulnerability
      

      Compliant Solution

      Set the HttpCookie.HttpOnly property to true:

      HttpCookie myCookie = new HttpCookie("Sensitive cookie");
      myCookie.HttpOnly = true; // Compliant: the sensitive cookie is protected against theft thanks to the HttpOnly property set to true (HttpOnly = true)
      

      Or change the default flag values for the whole application by editing the Web.config configuration file:

      <httpCookies httpOnlyCookies="true" requireSSL="true" />
      
      • the requireSSL attribute corresponds programmatically to the Secure field.
      • the httpOnlyCookies attribute corresponds programmatically to the httpOnly field.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            alexandre.gigleux Alexandre Gigleux
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: