Cookie security: overly broad domain¶
ID: cs/web/broad-cookie-domain
Kind: problem
Security severity: 9.3
Severity: warning
Precision: high
Tags:
- security
- external/cwe/cwe-287
Query suites:
- csharp-code-scanning.qls
- csharp-security-extended.qls
- csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
This rule finds cookies with an overly broad domain. Cookies with an overly broad domain, such as “.mybank.com”, can be accessed by all web applications deployed on this domain and its sub-domains. A cookie with sensitive data, but with too broad a domain, could hence be read and tampered with by a less secure and untrusted application.
Recommendation¶
Precisely define the domain of the web application for which this cookie is valid.
Example¶
In this example cookie1 is accessible from online-bank.com. cookie2 is accessible from ebanking.online-bank.com and any subdomains of ebanking.online-bank.com.
class CookieWithOverlyBroadDomain
{
static public void AddCookie()
{
HttpCookie cookie1 = new HttpCookie("sessionID");
cookie1.Domain = "online-bank.com";
HttpCookie cookie2 = new HttpCookie("sessionID");
cookie2.Domain = ".ebanking.online-bank.com";
}
}
In the following example cookie is only accessible from ebanking.online-bank.com which is much more secure.
class CookieWithOverlyBroadDomainFix
{
static public void AddCookie()
{
HttpCookie cookie = new HttpCookie("sessionID");
cookie.Domain = "ebanking.online-bank.com";
}
}
References¶
MSDN: HttpCookie.Domain Property.
Common Weakness Enumeration: CWE-287.