rspec/rules/S3330/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

When the ``++HttpCookie.HttpOnly++`` property is set to ``++false++`` then the cookie can be accessed by client side code:

----
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.HttpOnly = false; // Sensitive: this cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability
----
The https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie.httponly?view=netframework-4.8[default value] of ``++HttpOnly++`` flag is ``++false++``, unless overwritten by an application's configuration file:

----
HttpCookie myCookie = new HttpCookie("Sensitive cookie"); 
// Sensitive: this cookie is created without the httponly flag  (by default set to false) and so it can be stolen easily in case of XSS vulnerability
----

== Compliant Solution

Set the ``++HttpCookie.HttpOnly++`` property to ``++true++``:

----
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.HttpOnly = true; // Compliant: the sensitive cookie is protected against theft thanks to the HttpOnly property set to true (HttpOnly = true)
----
Or change the default flag values for the whole application by editing the https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ms228262(v=vs.100)[Web.config configuration file]:

----
<httpCookies httpOnlyCookies="true" requireSSL="true" />
----

* the ``++requireSSL++`` attribute corresponds programmatically to the ``++Secure++`` field.
* the ``++httpOnlyCookies++`` attribute corresponds programmatically to the ``++httpOnly++`` field.

include::../see.adoc[]