Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Message:
      Make sure creating this cookie without setting the 'Secure' property is safe here.
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Sensitive Code Example

      When the HttpCookie.Secure property is set to false then the cookie will be send during an unencrypted HTTP request:

      HttpCookie myCookie = new HttpCookie("Sensitive cookie");
      myCookie.Secure = false; //  Sensitive: a security-sensitive cookie is created with the secure flag set to false 
      

      The default value of Secure flag is false, unless overwritten by an application's configuration file:

      HttpCookie myCookie = new HttpCookie("Sensitive cookie");  
      //  Sensitive: a security-sensitive cookie is created with the secure flag not defined (by default set to false)
      

      Compliant Solution

      Set the HttpCookie.Secure property to true:

      HttpCookie myCookie = new HttpCookie("Sensitive cookie");
      myCookie.Secure = true; // Compliant
      

      Or change the default flag values for the whole application by editing the Web.config configuration file:

      <httpCookies httpOnlyCookies="true" requireSSL="true" />
      
      • the requireSSL attribute corresponds programmatically to the Secure field.
      • the httpOnlyCookies attribute corresponds programmatically to the httpOnly field.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            alexandre.gigleux Alexandre Gigleux
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: