rspec/rules/S3330/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

When the ``++HttpCookie.HttpOnly++`` property is set to ``++false++`` then the cookie can be accessed by client side code:

----
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.HttpOnly = false; // Sensitive: this cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability
----
The https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie.httponly?view=netframework-4.8[default value] of ``++HttpOnly++`` flag is ``++false++``, unless overwritten by an application's configuration file:

----
HttpCookie myCookie = new HttpCookie("Sensitive cookie"); 
// Sensitive: this cookie is created without the httponly flag  (by default set to false) and so it can be stolen easily in case of XSS vulnerability
----

== Compliant Solution

Set the ``++HttpCookie.HttpOnly++`` property to ``++true++``:

----
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.HttpOnly = true; // Compliant: the sensitive cookie is protected against theft thanks to the HttpOnly property set to true (HttpOnly = true)
----
Or change the default flag values for the whole application by editing the https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ms228262(v=vs.100)[Web.config configuration file]:

----
<httpCookies httpOnlyCookies="true" requireSSL="true" />
----

* the ``++requireSSL++`` attribute corresponds programmatically to the ``++Secure++`` field.
* the ``++httpOnlyCookies++`` attribute corresponds programmatically to the ``++httpOnly++`` field.

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00			When the ``++HttpCookie.HttpOnly++`` property is set to ``++false++`` then the cookie can be accessed by client side code:
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`----`
			`HttpCookie myCookie = new HttpCookie("Sensitive cookie");`
Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00			`myCookie.HttpOnly = false; // Sensitive: this cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability`
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`----`
Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00			The https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie.httponly?view=netframework-4.8[default value] of ``++HttpOnly++`` flag is ``++false++``, unless overwritten by an application's configuration file:
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`----`
			`HttpCookie myCookie = new HttpCookie("Sensitive cookie");`
Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00			`// Sensitive: this cookie is created without the httponly flag (by default set to false) and so it can be stolen easily in case of XSS vulnerability`
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`----`

			`== Compliant Solution`

Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00			Set the ``++HttpCookie.HttpOnly++`` property to ``++true++``:

Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`----`
			`HttpCookie myCookie = new HttpCookie("Sensitive cookie");`
			`myCookie.HttpOnly = true; // Compliant: the sensitive cookie is protected against theft thanks to the HttpOnly property set to true (HttpOnly = true)`
			`----`
Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00			`Or change the default flag values for the whole application by editing the https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ms228262(v=vs.100)[Web.config configuration file]:`

			`----`
			`<httpCookies httpOnlyCookies="true" requireSSL="true" />`
			`----`

			* the ``++requireSSL++`` attribute corresponds programmatically to the ``++Secure++`` field.
			* the ``++httpOnlyCookies++`` attribute corresponds programmatically to the ``++httpOnly++`` field.
Add rules 3000-3999 2020-06-30 12:48:39 +02:00
			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`