JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

CodeSonar® 9.2p0 CONFIDENTIAL CodeSecure Inc
C#

CSHARP.LIB.HTTP.COOKIE : Insecure Cookie (C#)

要旨

An insecure cookie is created or used.

Cookies are tokens of information exchanged over a network connection. If that connection is encrypted, cookies are expected to be encrypted as well. However, this might not be the case if a cookie's secure flag is not set. This checker finds such insecure situations.

プロパティ

クラス名 Insecure Cookie (C#)
日本語クラス名 Insecure Cookie (C#)
クラス分類 セキュリティ (security)
ニーモニック CSHARP.LIB.HTTP.COOKIE
カテゴリー
CWE CWE:614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP-2017 OWASP-2017:A6 Security misconfiguration
OWASP-2021 OWASP-2021:A5 Security misconfiguration
OWASP-2025 OWASP-2025:A02 Security Misconfiguration
対応言語 C# で利用可能です。
有効/無効設定 このワーニングクラスのチェックはデフォルトで有効になっています。チェックを無効にするにはプロジェクト設定ファイル (configuration file)に以下の WARNING_FILTER ルールを追加してください。 
WARNING_FILTER += discard class="Insecure Cookie (C#)"


using System;
using System.Web;
using System.Web.UI;

namespace DocumentationExamples
{
  public class Cookie : Page
  {
    public static void Main(string[] args)
    { }
      protected void Page_Load(object sender, EventArgs e)
    {
      Test1();
      Test2();
      Test3();
      Test4();
      Test5();
      Test6();
      Test7();
    }
    private void Test1()
    {
      HttpCookie cookie = new HttpCookie("cake", "special value here")
      {
        Secure = true
      };
      Response.Cookies.Add(cookie);
    }
    private void Test2()
    {
      HttpCookie cookie = new HttpCookie("cake", "special value here")
      {
        Secure = false
      };
      Console.WriteLine("danger here!");
      Response.Cookies.Add(cookie);   // "Insecure Cookie (C#)" warning issued here
    }
    private void Test3()
    {
      HttpCookie cookie = GetSecureCookie();
      Response.Cookies.Add(cookie);                            // ok: getSecureCookie returns a cookie whose Secure flag is set
    }
    private void Test4()
    {
      HttpCookie cookie = GetInsecureCookie();
      Response.Cookies.Add(cookie);   // "Insecure Cookie (C#)" warning issued here
    }
    private HttpCookie GetSecureCookie()
    {
      HttpCookie cookie = new HttpCookie("cake", "special value here")
      {
        Secure = true
      };
      return cookie;
    }
    private HttpCookie GetInsecureCookie()
    {
      HttpCookie cookie = new HttpCookie("cake", "special value here")
      {
        Secure = DateTime.Now.Millisecond % 2 == 0
      };
      return cookie;
    }
    private void Test5()
    {
      HttpCookie cookie = new HttpCookie("cake", "special value here");
      Response.Cookies.Add(cookie);   // "Insecure Cookie (C#)" warning issued here
    }
    private void Test6()
    {
      HttpCookie cookie = GetInsecureCookie();
      HttpCookie copy = cookie;
      cookie.Secure = true;
      Response.Cookies.Add(cookie);                            // ok: cookie.Secure explicitly set to true
    }
    private void Test7()
    {
      HttpCookie cookie = GetInsecureCookie();
      cookie.Secure = true;
      HttpCookie copy = cookie;
      copy.Secure = false;
      Response.Cookies.Add(cookie);   // "Insecure Cookie (C#)" warning issued here
    }
  }
}

解決法

Set the secure flag of the cookie, after its creation.

関連のある設定ファイルパラメータ

設定ファイルの以下のパラメータがこのワーニングクラスのチェックに影響します。

 

To report problems with this documentation, please visit https://support.codesecure.com/.