JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.0p0 Hot Tips | CONFIDENTIAL | CodeSecure Inc |
An insecure cookie is created or used.
Cookies are tokens of information exchanged over a network connection. If that connection is encrypted, cookies are expected to be encrypted as well. However, this might not be the case if a cookie's secure flag is not set. This checker finds such insecure situations.
| Class Name | Insecure Cookie (C#) | |||
|---|---|---|---|---|
| Significance | security | |||
| Mnemonic | CSHARP.LIB.HTTP.COOKIE | |||
| Categories |
|
|||
| Availability | Available for C# only. |
|||
| Enabling | Checks for this warning class are enabled by
default. To disable them, add the following WARNING_FILTER rule to the
project configuration file.
WARNING_FILTER += discard class="Insecure Cookie (C#)" |
Japanese (ja)
using System;
using System.Web;
using System.Web.UI;
namespace DocumentationExamples
{
public class Cookie : Page
{
public static void Main(string[] args)
{ }
protected void Page_Load(object sender, EventArgs e)
{
Test1();
Test2();
Test3();
Test4();
Test5();
Test6();
Test7();
}
private void Test1()
{
HttpCookie cookie = new HttpCookie("cake", "special value here")
{
Secure = true
};
Response.Cookies.Add(cookie);
}
private void Test2()
{
HttpCookie cookie = new HttpCookie("cake", "special value here")
{
Secure = false
};
Console.WriteLine("danger here!");
Response.Cookies.Add(cookie); // "Insecure Cookie (C#)" warning issued here
}
private void Test3()
{
HttpCookie cookie = GetSecureCookie();
Response.Cookies.Add(cookie); // ok: getSecureCookie returns a cookie whose Secure flag is set
}
private void Test4()
{
HttpCookie cookie = GetInsecureCookie();
Response.Cookies.Add(cookie); // "Insecure Cookie (C#)" warning issued here
}
private HttpCookie GetSecureCookie()
{
HttpCookie cookie = new HttpCookie("cake", "special value here")
{
Secure = true
};
return cookie;
}
private HttpCookie GetInsecureCookie()
{
HttpCookie cookie = new HttpCookie("cake", "special value here")
{
Secure = DateTime.Now.Millisecond % 2 == 0
};
return cookie;
}
private void Test5()
{
HttpCookie cookie = new HttpCookie("cake", "special value here");
Response.Cookies.Add(cookie); // "Insecure Cookie (C#)" warning issued here
}
private void Test6()
{
HttpCookie cookie = GetInsecureCookie();
HttpCookie copy = cookie;
cookie.Secure = true;
Response.Cookies.Add(cookie); // ok: cookie.Secure explicitly set to true
}
private void Test7()
{
HttpCookie cookie = GetInsecureCookie();
cookie.Secure = true;
HttpCookie copy = cookie;
copy.Secure = false;
Response.Cookies.Add(cookie); // "Insecure Cookie (C#)" warning issued here
}
}
}
Set the secure flag of the cookie, after its creation.
The following configuration file parameters affect checks for this warning class.