Checker Cookie

belongs to group Basic
Identify uses of insecure cookies in HTTPS connections

Frameworks supported by this checker

  • java up to 11
  • android up to API level 28
  • dotnet

Warnings generated by this checker

  • InsecureCookieWarning: an insecure cookie has been used [ CWE614 ]
  • PossibleInsecureCookieCreationWarning: an insecure cookie might have been created [ CWE614 ]

Options accepted by this checker

  • none

Annotations understood by this checker

  • @com.juliasoft.julia.checkers.cookie.MightCreateCookie
  • @com.juliasoft.julia.checkers.cookie.SecureCookie


Description

Cookies are tokens of information exchanged over a network connection. If that connection is encrypted, cookies are expected to be encrypted as well. However, this might not be the case if a cookie's secure flag is not set. This checker finds such insecure situations.

Action: Set the secure flag of the cookie, after its creation.

Cookies are tokens of information exchanged over a network connection. If that connection is encrypted, cookies are expected to be encrypted as well. However, this might not be the case if a cookie's secure flag is not set. This checker finds such insecure situations.

Action: Set the secure flag of the cookie, after its creation.

Examples

Consider the following program:

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class Cookies extends HttpServlet {

  @Override
  protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    test1(resp);
    test2(resp);
    test3(resp);
    test4(resp);
    test5(resp);
    test6(resp);
    test7(resp);
  }

  private void test1(HttpServletResponse resp) {
    Cookie cookie = new Cookie("cake", "special value here");
    cookie.setSecure(true);
    resp.addCookie(cookie);
  }

  private void test2(HttpServletResponse resp) {
    Cookie cookie = new Cookie("cake", "special value here");
    cookie.setSecure(false);
    System.out.println("danger here!");
    resp.addCookie(cookie);
  }

  private void test3(HttpServletResponse resp) {
    Cookie cookie = getSecureCookie();
    resp.addCookie(cookie);
  }

  private void test4(HttpServletResponse resp) {
    Cookie cookie = getInsecureCookie();
    resp.addCookie(cookie);
  }

  private Cookie getSecureCookie() {
    Cookie cookie = new Cookie("cake", "special value here");
    cookie.setSecure(true);
    return cookie;
  }

  private Cookie getInsecureCookie() {
    Cookie cookie = new Cookie("cake", "special value here");
    cookie.setSecure(System.currentTimeMillis() % 2 == 0);
    return cookie;
  }

  private void test5(HttpServletResponse resp) {
    Cookie cookie = new Cookie("cake", "special value here");
    resp.addCookie(cookie);
  }

  private void test6(HttpServletResponse resp) {
    Cookie cookie = getInsecureCookie();
    Cookie copy = cookie;
    copy.setSecure(true);
    resp.addCookie(cookie);
  }

  private void test7(HttpServletResponse resp) {
    Cookie cookie = getInsecureCookie();
    cookie.setSecure(true);
    Cookie copy = cookie;
    copy.setSecure(false);
    resp.addCookie(cookie);
  }
}

This checker issues the following warnings:

Cookies.java:32: [Cookie: InsecureCookieWarning] An insecure cookie seems used here for HTTPS connections
Cookies.java:42: [Cookie: InsecureCookieWarning] An insecure cookie seems used here for HTTPS connections
Cookies.java:59: [Cookie: InsecureCookieWarning] An insecure cookie seems used here for HTTPS connections
Cookies.java:74: [Cookie: InsecureCookieWarning] An insecure cookie seems used here for HTTPS connections

where cookies get attached to the servlet response but their secure flag is not set. Namely, the cookie attached at line 32 is explicitly created insecure; that attached at line 42 might have the secure flag off, since there is no guarantee that getInsecureCookie() will set that flag; that attached at line 59 has its secure flag off by default; that attached at line 74 has the secure flag set but turned immediately after back off, through a call on its copy. Note, instead, that no warning is issued at line 37, since getSecureCookie() returns a cookie whose secure flag is on; no warning is issued at line 66 either, since the insecure cookie gets its secure flag set through a call on its copy, at line 65.

In this example, the programmer should always call setSecure(true) on all cookies that he creates.

Consider the following program:

using System;
using System.Web;
using System.Web.UI;

namespace DocumentationExamples
{
    public class Cookie : Page
    {
        public static void Main(string[] args)
        { }
            protected void Page_Load(object sender, EventArgs e)
        {
            Test1();
            Test2();
            Test3();
            Test4();
            Test5();
            Test6();
            Test7();
        }
        private void Test1()
        {
            HttpCookie cookie = new HttpCookie("cake", "special value here")
            {
                Secure = true
            };
            Response.Cookies.Add(cookie);
        }
        private void Test2()
        {
            HttpCookie cookie = new HttpCookie("cake", "special value here")
            {
                Secure = false
            };
            Console.WriteLine("danger here!");
            Response.Cookies.Add(cookie);
        }
        private void Test3()
        {
            HttpCookie cookie = GetSecureCookie();
            Response.Cookies.Add(cookie);
        }
        private void Test4()
        {
            HttpCookie cookie = GetInsecureCookie();
            Response.Cookies.Add(cookie);
        }
        private HttpCookie GetSecureCookie()
        {
            HttpCookie cookie = new HttpCookie("cake", "special value here")
            {
                Secure = true
            };
            return cookie;
        }
        private HttpCookie GetInsecureCookie()
        {
            HttpCookie cookie = new HttpCookie("cake", "special value here")
            {
                Secure = DateTime.Now.Millisecond % 2 == 0
            };
            return cookie;
        }
        private void Test5()
        {
            HttpCookie cookie = new HttpCookie("cake", "special value here");
            Response.Cookies.Add(cookie);
        }
        private void Test6()
        {
            HttpCookie cookie = GetInsecureCookie();
            HttpCookie copy = cookie;
            cookie.Secure = true;
            Response.Cookies.Add(cookie);
        }
        private void Test7()
        {
            HttpCookie cookie = GetInsecureCookie();
            cookie.Secure = true;
            HttpCookie copy = cookie;
            copy.Secure = false;
            Response.Cookies.Add(cookie);
        }
    }
}

This checker issues the following warnings:

DocumentationExamples.cs:36: [Cookie: InsecureCookieWarning] An insecure cookie seems used here for HTTPS connections
DocumentationExamples.cs:46: [Cookie: InsecureCookieWarning] An insecure cookie seems used here for HTTPS connections
DocumentationExamples.cs:67: [Cookie: InsecureCookieWarning] An insecure cookie seems used here for HTTPS connections
DocumentationExamples.cs:82: [Cookie: InsecureCookieWarning] An insecure cookie seems used here for HTTPS connections

where cookies get attached to the servlet response but their secure flag is not set. Namely, the cookie attached at line 36 is explicitly created insecure; that attached at line 46 might have the secure flag off, since there is no guarantee that GetInsecureCookie() will set that flag; that attached at line 67 has its secure flag off by default; that attached at line 82 has the secure flag set but turned immediately after back off, through a call on its copy. Note, instead, that no warning is issued at line 41, since GetSecureCookie() returns a cookie whose secure flag is on; no warning is issued at line 74 either, since the insecure cookie gets its secure flag set through a call on its copy, at line 65.

In this example, the programmer should always set Secure = true on all cookies that he creates.