include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
// === .Net Framework ===

HttpCookie myCookie = new HttpCookie("UserSettings");
myCookie["CreditCardNumber"] = "1234 1234 1234 1234"; // Sensitive; sensitive data stored
myCookie.Values["password"] = "5678"; // Sensitive
myCookie.Value = "mysecret"; // Sensitive
...
Response.Cookies.Add(myCookie);


// === .Net Core ===

Response.Headers.Add("Set-Cookie", ...); // Sensitive
Response.Cookies.Append("mykey", "myValue"); // Sensitive
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 16 Oct 2018, 18:39:51 Nicolas Harraudeau wrote:
*Implementation details*:

*In .Net core*, -any reference to ``++Microsoft.AspNetCore.Http.HttpRequest.Cookies++`` should create an issue. It is a ``++IEnumerable++`` and it is not worth highlighting every manipulation method this class has. There is no "Cookie" Type in .Net Core, they are instead processed as strings.-

The ``++Request++`` object is just a reference to the ``++HttpRequest++`` of the current request.

Regarding ``++Microsoft.AspNetCore.Http.HttpResonse.Cookies++``, only the ``++Append++`` method should raise an issue as the ``++Delete++`` one is not security-sensitive (no risk of injection).

The ``++Response++`` object is just a reference to the ``++HttpResponse++`` of the current request.

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]