Cookie security: overly broad path¶
ID: cs/web/broad-cookie-pathKind: problemSecurity severity: 9.3Severity: warningPrecision: highTags: - security - external/cwe/cwe-287Query suites: - csharp-code-scanning.qls - csharp-security-extended.qls - csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
This rule finds cookies with an overly broad path. Cookies with an overly broad path, such as the root context path (”/”), can be accessed by all web applications on the same domain name. A cookie with sensitive data, but with too broad a path, could hence be read and tampered by a less secure and untrusted application.
Recommendation¶
Precisely define the path of the web application for which this cookie is valid.
Example¶
In this example the cookie will be accessible to all applications regardless of their path. Most likely some of these applications are less secure than others and do not even need to access the same cookies.
classCookieWithOverlyBroadPath{staticpublicvoidAddCookie(){HttpCookiecookie=newHttpCookie("sessionID");cookie.Path="/";}}
In the following example the cookie is only accessible to the web application at the “/ebanking” path.
classCookieWithOverlyBroadPathFix{staticpublicvoidAddCookie(){HttpCookiecookie=newHttpCookie("sessionID");cookie.Path="/ebanking";}}
References¶
MSDN:HttpCookie.Path Property.
Common Weakness Enumeration:CWE-287.