2020-06-30 12:48:39 +02:00
include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
2021-04-26 17:29:13 +02:00
When the ``++HttpCookie.HttpOnly++`` property is set to ``++false++`` then the cookie can be accessed by client side code:
2021-02-02 15:02:10 +01:00
2020-06-30 12:48:39 +02:00
----
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
2021-04-26 17:29:13 +02:00
myCookie.HttpOnly = false; // Sensitive: this cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability
2020-06-30 12:48:39 +02:00
----
2021-04-26 17:29:13 +02:00
The https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie.httponly?view=netframework-4.8[default value] of ``++HttpOnly++`` flag is ``++false++``, unless overwritten by an application's configuration file:
2020-06-30 14:49:38 +02:00
2020-06-30 12:48:39 +02:00
----
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
2021-04-26 17:29:13 +02:00
// Sensitive: this cookie is created without the httponly flag (by default set to false) and so it can be stolen easily in case of XSS vulnerability
2020-06-30 12:48:39 +02:00
----
== Compliant Solution
2021-04-26 17:29:13 +02:00
Set the ``++HttpCookie.HttpOnly++`` property to ``++true++``:
2022-02-04 17:28:24 +01:00
[source,csharp]
2020-06-30 12:48:39 +02:00
----
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.HttpOnly = true; // Compliant: the sensitive cookie is protected against theft thanks to the HttpOnly property set to true (HttpOnly = true)
----
2021-04-26 17:29:13 +02:00
Or change the default flag values for the whole application by editing the https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ms228262(v=vs.100)[Web.config configuration file]:
2022-02-04 17:28:24 +01:00
[source,csharp]
2021-04-26 17:29:13 +02:00
----
<httpCookies httpOnlyCookies="true" requireSSL="true" />
----
* the ``++requireSSL++`` attribute corresponds programmatically to the ``++Secure++`` field.
* the ``++httpOnlyCookies++`` attribute corresponds programmatically to the ``++httpOnly++`` field.
2020-06-30 12:48:39 +02:00
include::../see.adoc[]
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
2023-05-25 14:18:12 +02:00
=== Message
Add the "HttpOnly" cookie attribute.
2021-09-20 15:38:42 +02:00
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
