I am using Fortify to scan my code. It is identifying the error "Header Manipulation: Cookies". Further it says "includes unvalidated data in an HTTP cookie". My code is below.
String cookieName = "Foo";
System.Text.RegularExpressions.Regex rgx = new System.Text.RegularExpressions.Regex("[^a-zA-Z0-9 -]");
String FullCookieName = ".OmniPro" + cookieName;
FullCookieName = rgx.Replace(FullCookieName, "");
HttpCookie oldCookie = Request.Cookies[FullCookieName] ;
if ( oldCookie != null )
{
oldCookie.Expires = DateTime.Now.AddDays( -1 );
Response.Cookies.Add( oldCookie );
}
The error is identified on "Cookies.Add". My intention is to just expire the old cookie. I have found no way to make Fortify happy. Any help would be appreciated.
It seems to me that the extension .OmniPro has a very specific use case, which I don't question. However, the regular expression doesn't seem to be essential.
Much simpler code passes the HP's Fortify scan for header manipulation prevention:
HttpCookie expiredCookie = new HttpCookie(DeleteCookieName)
{ Expires = DateTime.Now.AddDays(-1) };
HttpContext.Current.Response.Cookies.Add(expiredCookie); // Overwrite cookie.
Moreover, for these kind of cookies which expire immediately (see DateTime.Now.AddDays(-1)) I'm a bit sceptical if it's not a false positive, because this cookie can be never fetched - it simply expires before it has been created.