Should empty cookies intended to delete to be marked as secure?
SonarQube found an issue (Cookies should be "secure") in the following code:
public static void eraseSamlCookie(final HttpServletResponse response) {
final String cookieName = Config.getParameter(Constants.SSO_COOKIE_NAME);
if (cookieName != null) {
final Cookie cookie = new Cookie(cookieName, "");
cookie.setMaxAge(0);
cookie.setPath("/");
cookie.setHttpOnly(true);
response.addCookie(cookie);
}
}
The cookie is created only to delete a cookie with the same name on the client side (max-age=0).
Is there any reasonable reason to mark it as secure? Does the rule should ignore cookies which value is empty and max-age is set to 0?
The rule description was extended and now I see it has sense. Why? This part is important:
When a cookie is protected with the secure attribute set to true it will not be send by the browser over an unencrypted HTTP request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack. By default the secure flag is set to false and so cookies can be stolen if a man-in-the-attack is performed.
In my case the only reason to create a cookie is to overwrite the cookie with the same name on the client side. When the cookie is not secured somebody may change its content, so instead of cleaning the cookie on the client side, it can be provided with a different content. It means that making it secure has a lot of sense.
- Linking JSF inputText with backing bean's field without showing its value
- generate javascript from java class as a maven build step
- Elegant way of holding large static typesafe dictionary in java - or avoiding code too large
- @WebMvcTest fails with java.lang.IllegalStateException: Failed to load ApplicationContext
- Calling unmanaged C\C++ DLL methods from Java?
- API Gateway Custom Authorizer: Control error message and code
- Spring boot: Unable to start embedded Tomcat servlet container
- I'm trying to send TCP SYN packet in java using Pcap4j library, but I get a NullPointerException on line "ipv4Builder.build();"
- ExecutorCompletionService? Why do need one if we have invokeAll?
- How is the toString() method automatically called inside System.out.println()
- Java Keytool error after importing certificate , "keytool error: java.io.FileNotFoundException & Access Denied"
- ')' Expected (java)
- Parenthesis representation of BinTree to BinTree
- KeyListener not working the way I want it to for arrow keys?
- How do I delete an object in java?
- After Spring boot 3.2.x upgrade , ZoneddateTime is getting persisted in DB always with UTC format
- Maximized JFrame's location is [-8,-8]. Can it be fixed?
- SNMP v3 Trap listener implementation not working for AuthNoPriv in case of both MD5 and SHA protocols using SNMP4j
- Is `JNI_OnLoad` always invoked in main thread?
- Eclipse 'loading descriptor' takes ages
- Java reduce a collection of string to a map of occurence
- Wildfly deploy failed: JBAS014671 and WFLYCTL0080 - Access is denied
- Is the Java compiler the same that is on Linux/Windows?
- Eclipse: Class not found: javac1.7
- Does try-with-resources call dispose() method?
- A Java update has caused me to be unable to compile/run my React Native project in Android
- Latency / Ping test from Browser
- IntelliJ IDEA: "cannot resolve symbol" for String, System and other Java classes
- How to execute "less" with paging from a Java console application?
- How to execute tasks in ExecutorService sequentially?