Using cookies is security-sensitive. It has led in the past to the following vulnerabilities:
Attackers can use widely-available tools to read cookies. Any sensitive information they may contain will be exposed.
This rule flags code that writes cookies.
You are at risk if you answered yes to this question.
Cookies should only be used to manage the user session. The best practice is to keep all user-related information server-side and link them to the user session, never sending them to the client. In a very few corner cases, cookies can be used for non-sensitive information that need to live longer than the user session.
Do not try to encode sensitive information in a non human-readable format before writing them in a cookie. The encoding can be reverted and the original information will be exposed.
Using cookies only for session IDs doesn't make them secure. Follow OWASP best practices when you configure your cookies.
As a side note, every information read from a cookie should be Sanitized.
// === javax.servlet === import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletRequest; public class JavaxServlet { void aServiceMethodSettingCookie(HttpServletRequest request, HttpServletResponse response, String acctID) { Cookie cookie = new Cookie("userAccountID", acctID); // Sensitive response.addCookie(cookie); // Sensitive } }
// === javax.ws === import java.util.Date; import javax.ws.rs.core.Cookie; import javax.ws.rs.core.NewCookie; class JavaxWs { void jaxRsCookie(String comment, int maxAge, boolean secure, Date expiry, boolean httpOnly, String name, String value, String path, String domain, int version) { Cookie cookie= new Cookie("name", "value"); // Sensitive new NewCookie(cookie); // Sensitive new NewCookie(cookie, comment, maxAge, secure); // Sensitive new NewCookie(cookie, comment, maxAge, expiry, secure, httpOnly); // Sensitive new NewCookie(name, value); // Sensitive new NewCookie(name, value, path, domain, version, comment, maxAge, secure); // Sensitive new NewCookie(name, value, path, domain, version, comment, maxAge, expiry, secure, httpOnly); // Sensitive new NewCookie(name, value, path, domain, comment, maxAge, secure); // Sensitive new NewCookie(name, value, path, domain, comment, maxAge, secure, httpOnly); // Sensitive } }
// === java.net === import java.net.HttpCookie; class JavaNet { void httpCookie(HttpCookie hc) { HttpCookie cookie = new HttpCookie("name", "value"); // Sensitive cookie.setValue("value"); // Sensitive } }
// === apache.shiro === import org.apache.shiro.web.servlet.SimpleCookie; class ApacheShiro { void shiroCookie(SimpleCookie cookie) { SimpleCookie sc = new SimpleCookie(cookie); // Sensitive cookie.setValue("value"); // Sensitive } }
// === Play === import play.mvc.Http.Cookie; import play.mvc.Http.CookieBuilder; class Play { void playCookie() { CookieBuilder builder = Cookie.builder("name", "value"); // Sensitive builder.withName("name") .withValue("value") // Sensitive .build(); } }