Cookie security: persistent cookie¶

ID: cs/web/persistent-cookieKind: problemSecurity severity: 8.2Severity: warningPrecision: highTags:   - security   - external/cwe/cwe-539Query suites:   - csharp-code-scanning.qls   - csharp-security-extended.qls   - csharp-security-and-quality.qls

Click to see the query in the CodeQL repository

This rule finds cookies that are made to expire in more than 5 minutes from now. Cookies are usually non-persistent, in which case they reside in the browser’s memory only. However, by setting an expiration date in the future, cookies can be made persistent and are then written to disk to survive the browser restarts. If a persistent cookie is set to expire in a fairly distant future, it is easier for an attacker to steal its data.