• Home
• org.sonarsource.java
• java-checks
• 3.13
• source code
• S2092.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.java.rules.squid.S2092.html Maven / Gradle / Ivy

The "secure" attribute prevents cookies from being sent over plaintext connections such as HTTP, where they would be easily eavesdropped upon. Instead, cookies with the secure attribute are only sent over encrypted HTTPS connections.
Noncompliant Code Example

Cookie c = new Cookie(SECRET, secret);  // Noncompliant; cookie is not secure
response.addCookie(c);

Compliant Solution

Cookie c = new Cookie(SECRET, secret);
c.setSecure(true);
response.addCookie(c);

See


 MITRE, CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
 OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
 OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure