Using cookies is security-sensitive. It has led in the past to the following vulnerabilities:
Attackers can use widely-available tools to read cookies. Any sensitive information they may contain will be exposed.
This rule flags code that writes cookies.
Ask Yourself Whether
- sensitive information is stored inside the cookie.
You are at risk if you answered yes to this question.
Recommended Secure Coding Practices
Cookies should only be used to manage the user session. The best practice is to keep all user-related information server-side and link them to the
user session, never sending them to the client. In a very few corner cases, cookies can be used for non-sensitive information that need to live longer
than the user session.
Do not try to encode sensitive information in a non human-readable format before writing them in a cookie. The encoding can be reverted and the
original information will be exposed.
Using cookies only for session IDs doesn’t make them secure. Follow OWASP best practices when you configure your
As a side note, every information read from a cookie should be Sanitized.
Sensitive Code Example
// === .Net Framework ===
HttpCookie myCookie = new HttpCookie("UserSettings");
myCookie["CreditCardNumber"] = "1234 1234 1234 1234"; // Sensitive; sensitive data stored
myCookie.Values["password"] = "5678"; // Sensitive
myCookie.Value = "mysecret"; // Sensitive
// === .Net Core ===
Response.Headers.Add("Set-Cookie", ...); // Sensitive
Response.Cookies.Append("mykey", "myValue"); // Sensitive
This rule is deprecated, and will eventually be removed.