CA5396Security Enabled by default: No

Set HttpOnly to true for HttpCookie

Description

As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies.

Cause

System.Web.HttpCookie.HttpOnly is set to false. The default value of this property is false.

How to fix violations

Set System.Web.HttpCookie.HttpOnly to true.

Example

using System.Web;

class ExampleClass
{
    public void ExampleMethod()
    {
        HttpCookie httpCookie = new HttpCookie("cookieName");
        httpCookie.HttpOnly = false;
    }
}

using System.Web;

class ExampleClass
{
    public void ExampleMethod()
    {
        HttpCookie httpCookie = new HttpCookie("cookieName");
        httpCookie.HttpOnly = true;
    }
}

When to suppress

If the global value of System.Web.HttpCookie.HttpOnly is set, such as in the following example:

If you're sure there's no sensitive data in the cookies.

Your vote

Join a group to vote

Group results

0 yes 0 no

ConsensusNone (disabled)

Severity preference (yes voters)

Suggestion0

Warning0

Error0