← back to index

S2092 — Cookies should have the "secure" flag

Language: C#  |  Type: VULNERABILITY  |  Severity: Minor

Tags: cwe, former-hotspot, privacy

When a cookie is protected with the secure attribute set to true it will not be send by the browser over an unencrypted HTTP request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.

Why is this an issue?

When a cookie is created without the secure attribute set to true, browsers will transmit it over unencrypted HTTP connections as well as HTTPS. An attacker who can observe or intercept network traffic—for example on a public Wi-Fi network—can read the cookie value in cleartext.

What is the potential impact?

Session hijacking

If a session cookie is transmitted over an unencrypted HTTP connection, an attacker who can intercept the traffic can steal it. With a valid session cookie, the attacker can impersonate the victim and gain full access to their account without knowing their password. Even on sites that primarily use HTTPS, a single HTTP request containing the session cookie is enough to expose it.

How to fix it in ASP.NET

Set the HttpCookie.Secure property to true to prevent the cookie from being transmitted over unencrypted HTTP connections. Alternatively, set requireSSL="true" in the <httpCookies> element of the application’s Web.config file to enforce the secure flag globally.

Code examples

Noncompliant code example

When the HttpCookie.Secure property is set to false then the cookie will be send during an unencrypted HTTP request:

HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.Secure = false; // Noncompliant

The default value of Secure flag is false, unless overwritten by an application’s configuration file:

HttpCookie myCookie = new HttpCookie("Sensitive cookie"); // Noncompliant

Compliant solution

Set the HttpCookie.Secure property to true:

HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.Secure = true;

Or change the default flag values for the whole application by editing the Web.config configuration file:

<httpCookies httpOnlyCookies="true" requireSSL="true" />

Resources

Standards