31 lines
998 B
Plaintext
31 lines
998 B
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
If you create a security-sensitive cookie in your JAVA code:
|
|
|
|
----
|
|
Cookie c = new Cookie(COOKIENAME, sensitivedata);
|
|
c.setHttpOnly(false); // Sensitive: this sensitive cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability
|
|
----
|
|
|
|
|
|
By default the https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setHttpOnly(boolean)[``++HttpOnly++``] flag is set to _false:_
|
|
|
|
----
|
|
Cookie c = new Cookie(COOKIENAME, sensitivedata); // Sensitive: this sensitive cookie is created with the httponly flag not defined (by default set to false) and so it can be stolen easily in case of XSS vulnerability
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
Cookie c = new Cookie(COOKIENAME, sensitivedata);
|
|
c.setHttpOnly(true); // Compliant: this sensitive cookie is protected against theft (HttpOnly=true)
|
|
----
|
|
|
|
include::../see.adoc[]
|