Search code examples
asp.net-corecheckmarx

CookiePolicyOptions - HttpOnly and Secure - what is the effect of these settings?

We have an ASP.NET Core 2.2 web service application.

We use Checkmarx SAST to scan our source code. It is showing recommendations such as HttpOnlyCookies and Insecure_Cookie. These recommendations target the Startup class in the Startup.cs file.

These lines will get rid of these recommendations.

In ConfigureServices function:

services.Configure<CookiePolicyOptions>(options =>
{
    options.HttpOnly = HttpOnlyPolicy.Always;
    options.Secure = CookieSecurePolicy.Always;
});

In Configure function:

app.UseCookiePolicy();

However, I could not find a detailed explanation of what impact these settings will cause for an existing application.

Our web service application is running on .NET Core 2.2.

Microsoft documentation definitions:

CookiePolicyOptions.HttpOnly Property => Affects whether cookies must be HttpOnly
CookiePolicyOptions.Secure Property => Affects whether cookies must be Secure.

And that's it. No more detailed explanation.

If someone can elaborate on what effect these settings will cause, much appreciated!

Solution

  • They position the HttpOnly and the Secure flags on the emitted cookie. Everything related to the HTTP protocol is usually very well documented on the Mozilla developer network (MDN). The links I have put are MDN links. Also consider documenting yourself with OWASP, which documents this kind of security settings too, here and here.

    In short, the former forbids the Javascript code of any page of the Web application to read the cookie value. So, if the Javascript does not need to read it, set this HttpOnly flag. In case of a XSS vulnerability in a Web page of the domain on which the cookie is set, that will prevent the cookie value to be leaked.
    Since your application is a Web service, it sounds like it will not have any HTML page in need of reading this on the client side. So, setting it looks like a no-brainer for this case.

    The later forbids the cookie to be sent on unencrypted http requests. So, if the application does not run over unencrypted http, set this flag to prevent the cookie value being exposed in clear text on the wire in case someone tries to call the application with an unsecured http:// url.

    By the way, Asp .Net Core 2.2 is obsolete since four years and a half. It means it is no more maintained, with security issues left in place. If it is not planned to upgrade the technology to one still supported, the application will remain unsecured.