30 lines
1.2 KiB
Plaintext
30 lines
1.2 KiB
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
include::../ask-yourself.adoc[]
|
||
|
|
|
||
|
|
include::../recommended.adoc[]
|
||
|
|
|
||
|
|
== Sensitive Code Example
|
||
|
|
|
||
|
|
For example In C# you can specify the HttpOnly flag for https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie?view=netframework-4.8[HttpCookie] object.
|
||
|
|
|
||
|
|
----
|
||
|
|
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
|
||
|
|
myCookie.HttpOnly = false; // Sensitive: this sensitive cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability
|
||
|
|
----
|
||
|
|
|
||
|
|
The https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie.httponly?view=netframework-4.8[default value] of <code>secure</code> flag is false:
|
||
|
|
----
|
||
|
|
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
|
||
|
|
// Sensitive: this sensitive cookie is created with the httponly flag not defined (by default set to false) and so it can be stolen easily in case of XSS vulnerability
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
----
|
||
|
|
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
|
||
|
|
myCookie.HttpOnly = true; // Compliant: the sensitive cookie is protected against theft thanks to the HttpOnly property set to true (HttpOnly = true)
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|