2020-06-30 12:48:39 +02:00
include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
If you create a security-sensitive cookie in your Kotlin code:
2020-06-30 14:49:38 +02:00
2020-06-30 12:48:39 +02:00
----
val c1 = Cookie("admin", "secret")
c1.setHttpOnly(false) // Sensitive: this sensitive cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability
----
2021-01-27 13:42:22 +01:00
By default the https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setHttpOnly(boolean)[``++HttpOnly++``] flag is set to _false:_
2020-06-30 14:49:38 +02:00
2020-06-30 12:48:39 +02:00
----
val c2 = Cookie("admin", "secret") // Sensitive: this sensitive cookie is created with the httponly flag not defined (by default set to false) and so it can be stolen easily in case of XSS vulnerability
----
== Compliant Solution
2022-02-04 17:28:24 +01:00
[source,kotlin]
2020-06-30 12:48:39 +02:00
----
val c3 = Cookie("admin", "secret")
c3.setHttpOnly(true) // Compliant: this sensitive cookie is protected against theft (HttpOnly=true)
----
include::../see.adoc[]
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
2023-06-22 10:38:01 +02:00
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
