2020-06-30 12:48:07 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
|
|
|
|
If you create a security-sensitive cookie in your Kotlin code:
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:48:07 +02:00
|
|
|
----
|
|
|
|
|
val c4 = Cookie("admin", "secret")
|
|
|
|
|
c4.setSecure(false) // Sensitive: a security-sensitive cookie is created with the secure flag set to false
|
|
|
|
|
----
|
|
|
|
|
|
2021-01-27 13:42:22 +01:00
|
|
|
By default the https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)[``++secure++``] flag is set to _false:_
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:48:07 +02:00
|
|
|
----
|
|
|
|
|
val c5 = Cookie("admin", "secret") // Sensitive: a security-sensitive cookie is created with the secure flag not defined (by default set to false)
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
val c6 = Cookie("admin", "secret")
|
|
|
|
|
c6.setSecure(true) // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag set to true
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
include::../see.adoc[]
|
