All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.sonar.plugins.csharp.S2092.html Maven / Gradle / Ivy

There is a newer version: 10.2.0.105762
Show newest version

When a cookie is protected with the secure attribute set to true it will not be send by the browser over an unencrypted HTTP request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.

Ask Yourself Whether

  • the cookie is for instance a session-cookie not designed to be sent over non-HTTPS communication.
  • it’s not sure that the website contains mixed content or not (ie HTTPS everywhere or not)

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

  • It is recommended to use HTTPs everywhere so setting the secure flag to true should be the default behaviour when creating cookies.
  • Set the secure flag to true for session-cookies.

Sensitive Code Example

When the HttpCookie.Secure property is set to false then the cookie will be send during an unencrypted HTTP request:

HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.Secure = false; //  Sensitive: a security-sensitive cookie is created with the secure flag set to false

The default value of Secure flag is false, unless overwritten by an application’s configuration file:

HttpCookie myCookie = new HttpCookie("Sensitive cookie");
//  Sensitive: a security-sensitive cookie is created with the secure flag not defined (by default set to false)

Compliant Solution

Set the HttpCookie.Secure property to true:

HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.Secure = true; // Compliant

Or change the default flag values for the whole application by editing the Web.config configuration file:

<httpCookies httpOnlyCookies="true" requireSSL="true" />
  • the requireSSL attribute corresponds programmatically to the Secure field.
  • the httpOnlyCookies attribute corresponds programmatically to the httpOnly field.

See





© 2015 - 2024 Weber Informatics LLC | Privacy Policy