Language: C# | Type: VULNERABILITY | Severity: Minor
Tags: cwe, former-hotspot, privacy
When a cookie is protected with the secure attribute set to true it will not be send by the browser over an unencrypted HTTP
request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.
When a cookie is created without the secure attribute set to true, browsers will transmit it over unencrypted HTTP
connections as well as HTTPS. An attacker who can observe or intercept network traffic—for example on a public Wi-Fi network—can read the cookie value
in cleartext.
If a session cookie is transmitted over an unencrypted HTTP connection, an attacker who can intercept the traffic can steal it. With a valid session cookie, the attacker can impersonate the victim and gain full access to their account without knowing their password. Even on sites that primarily use HTTPS, a single HTTP request containing the session cookie is enough to expose it.
Set the HttpCookie.Secure property to true to prevent the cookie from being transmitted over unencrypted HTTP
connections. Alternatively, set requireSSL="true" in the <httpCookies> element of the application’s
Web.config file to enforce the secure flag globally.
When the HttpCookie.Secure property is set to false then the cookie will be send during an unencrypted HTTP request:
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.Secure = false; // Noncompliant
The default value of
Secure flag is false, unless overwritten by an application’s configuration file:
HttpCookie myCookie = new HttpCookie("Sensitive cookie"); // Noncompliant
Set the HttpCookie.Secure property to true:
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.Secure = true;
Or change the default flag values for the whole application by editing the Web.config configuration file:
<httpCookies httpOnlyCookies="true" requireSSL="true" />
requireSSL attribute corresponds programmatically to the Secure field.httpOnlyCookies attribute corresponds programmatically to the httpOnly field.