Edit

Share via

CA5396: Set HttpOnly to true for HttpCookie

  • Article
Property Value
Rule ID CA5396
Title Set HttpOnly to true for HttpCookie
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 9 No

Cause

System.Web.HttpCookie.HttpOnly is set to false. The default value of this property is false.

Rule description

As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies.

How to fix violations

Set System.Web.HttpCookie.HttpOnly to true.

When to suppress warnings

  • If the global value of HttpOnly is set, such as in the following example:

    XML 
    <system.web>
    ...
    <httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>

  • If you're sure there's no sensitive data in the cookies.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

C# 
#pragma warning disable CA5396
// The code that's violating the rule is on this line.
#pragma warning restore CA5396

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

ini 
[*.{cs,vb}]
dotnet_diagnostic.CA5396.severity = none

For more information, see How to suppress code analysis warnings.

Example

Violation:

C# 
using System.Web;

class ExampleClass
{
    public void ExampleMethod()
    {
        HttpCookie httpCookie = new HttpCookie("cookieName");
        httpCookie.HttpOnly = false;
    }
}

Solution:

C# 
using System.Web;

class ExampleClass
{
    public void ExampleMethod()
    {
        HttpCookie httpCookie = new HttpCookie("cookieName");
        httpCookie.HttpOnly = true;
    }
}