Checker Cookie   as of Julia version 2.6.0 (built on 6 Sep 2018)

belongs to group Basic

Identify uses of insecure cookies in HTTPS connections


Cookies are tokens of information exchanged over a network connection. If that connection is encrypted, cookies are expected to be encrypted as well. However, this might not be the case if a cookie's secure flag is not set. This checker finds such insecure situations.

Action: Set the secure flag of the cookie, after its creation.

Examples


Consider the following program:

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class Cookies extends HttpServlet {

  @Override
  protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    test1(resp);
    test2(resp);
    test3(resp);
    test4(resp);
    test5(resp);
    test6(resp);
    test7(resp);
  }

  private void test1(HttpServletResponse resp) {
    Cookie cookie = new Cookie("cake", "special value here");
    cookie.setSecure(true);
    resp.addCookie(cookie);
  }

  private void test2(HttpServletResponse resp) {
    Cookie cookie = new Cookie("cake", "special value here");
    cookie.setSecure(false);
    System.out.println("danger here!");
    resp.addCookie(cookie);
  }

  private void test3(HttpServletResponse resp) {
    Cookie cookie = getSecureCookie();
    resp.addCookie(cookie);
  }

  private void test4(HttpServletResponse resp) {
    Cookie cookie = getInsecureCookie();
    resp.addCookie(cookie);
  }

  private Cookie getSecureCookie() {
    Cookie cookie = new Cookie("cake", "special value here");
    cookie.setSecure(true);
    return cookie;
  }

  private Cookie getInsecureCookie() {
    Cookie cookie = new Cookie("cake", "special value here");
    cookie.setSecure(System.currentTimeMillis() % 2 == 0);
    return cookie;
  }

  private void test5(HttpServletResponse resp) {
    Cookie cookie = new Cookie("cake", "special value here");
    resp.addCookie(cookie);
  }

  private void test6(HttpServletResponse resp) {
    Cookie cookie = getInsecureCookie();
    Cookie copy = cookie;
    copy.setSecure(true);
    resp.addCookie(cookie);
  }

  private void test7(HttpServletResponse resp) {
    Cookie cookie = getInsecureCookie();
    cookie.setSecure(true);
    Cookie copy = cookie;
    copy.setSecure(false);
    resp.addCookie(cookie);
  }
}

This checker issues the following warnings:

Cookies.java:32: [Cookie: InsecureCookieWarning] An insecure cookie seems used here for HTTPS connections
Cookies.java:42: [Cookie: InsecureCookieWarning] An insecure cookie seems used here for HTTPS connections
Cookies.java:59: [Cookie: InsecureCookieWarning] An insecure cookie seems used here for HTTPS connections
Cookies.java:74: [Cookie: InsecureCookieWarning] An insecure cookie seems used here for HTTPS connections

where cookies get attached to the servlet response but their secure flag is not set. Namely, the cookie attached at line 32 is explicitly created insecure; that attached at line 42 might have the secure flag off, since there is no guarantee that getInsecureCookie() will set that flag; that attached at line 59 has its secure flag off by default; that attached at line 74 has the secure flag set but turned immediately after back off, through a call on its copy. Note, instead, that no warning is issued at line 37, since getSecureCookie() returns a cookie whose secure flag is on; no warning is issued at line 66 either, since the insecure cookie gets its secure flag set through a call on its copy, at line 65.

In this example, the programmer should always call setSecure(true) on all cookies that he creates.