include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

When the ``++HttpCookie.Secure++`` property is set to ``++false++`` then the cookie will be send during an unencrypted HTTP request:

----
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.Secure = false; //  Sensitive: a security-sensitive cookie is created with the secure flag set to false 
----
The https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie.secure?view=netframework-4.8[default value] of ``++Secure++`` flag is ``++false++``, unless overwritten by an application's configuration file:

----
HttpCookie myCookie = new HttpCookie("Sensitive cookie");  
//  Sensitive: a security-sensitive cookie is created with the secure flag not defined (by default set to false)
----

== Compliant Solution

Set the ``++HttpCookie.Secure++`` property to ``++true++``:

[source,csharp]
----
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.Secure = true; // Compliant
----
Or change the default flag values for the whole application by editing the https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ms228262(v=vs.100)[Web.config configuration file]:

[source,csharp]
----
<httpCookies httpOnlyCookies="true" requireSSL="true" />
----

* the ``++requireSSL++`` attribute corresponds programmatically to the ``++Secure++`` field.
* the ``++httpOnlyCookies++`` attribute corresponds programmatically to the ``++httpOnly++`` field.

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure creating this cookie without setting the 'Secure' property is safe here.


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]