System.Web.HttpCookie.HttpOnly is set to false. The default value of this property is false.
As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies.
How to fix violationsSet System.Web.HttpCookie.HttpOnly to true.
If the global value of HttpOnly is set, such as in the following example:
<system.web>
...
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
If you're sure there's no sensitive data in the cookies.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5396
// The code that's violating the rule is on this line.
#pragma warning restore CA5396
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5396.severity = none
For more information, see How to suppress code analysis warnings.
ExampleViolation:
using System.Web;
class ExampleClass
{
public void ExampleMethod()
{
HttpCookie httpCookie = new HttpCookie("cookieName");
httpCookie.HttpOnly = false;
}
}
Solution:
using System.Web;
class ExampleClass
{
public void ExampleMethod()
{
HttpCookie httpCookie = new HttpCookie("cookieName");
httpCookie.HttpOnly = true;
}
}
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4