Using cookies is security-sensitive. It has led in the past to the following vulnerabilities:

Attackers can use widely-available tools to read and modify cookies, thus:

This rule flags code that reads or writes cookies.

Ask Yourself Whether

You are at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Cookies should only be used to manage the user session. The best practice is to keep all user-related information server-side and link them to the user session, never sending them to the client. In a very few corner cases, cookies can be used for non-sensitive information that need to live longer than the user session.

Do not try to encode sensitive information in a non human-readable format before writing them in a cookie. The encoding can be reverted and the original information will be exposed.

Sanitize every information read from a cookie before using them.

Using cookies only for session IDs doesn't make them secure. Follow OWASP best practices when you configure your cookies.

Questionable Code Example

// === javax.servlet ===
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletRequest;

public class JavaxServlet {
    void aServiceMethodSettingCookie(HttpServletRequest request, HttpServletResponse response, String acctID) {
        Cookie cookie = new Cookie("userAccountID", acctID);  // Questionable
        response.addCookie(cookie);  // Questionable

        cookie.getValue();  // Questionable. Check how the value is used.
    }
}
// === javax.ws ===
import java.util.Date;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.NewCookie;

class JavaxWs {
    void jaxRsCookie(String comment, int maxAge, boolean secure, Date expiry, boolean httpOnly, String name,
            String value, String path, String domain, int version) {
        Cookie cookie= new Cookie("name", "value");  // Questionable
        cookie.getValue();  // Questionable

        new NewCookie(cookie);  // Questionable
        new NewCookie(cookie, comment, maxAge, secure);
        new NewCookie(cookie, comment, maxAge, expiry, secure, httpOnly);
        new NewCookie(name, value);
        new NewCookie(name, value, path, domain, version, comment, maxAge, secure);
        new NewCookie(name, value, path, domain, version, comment, maxAge, expiry, secure, httpOnly);
        new NewCookie(name, value, path, domain, comment, maxAge, secure);
        new NewCookie(name, value, path, domain, comment, maxAge, secure, httpOnly);
    }
}
// === java.net ===
import java.net.HttpCookie;

class JavaNet {
    void httpCookie(HttpCookie hc) {
        HttpCookie cookie = new HttpCookie("name", "value");  // Questionable
        cookie.setValue("value");  // Questionable
        cookie.getValue();  // Questionable
    }
}
// === apache.shiro ===
import org.apache.shiro.web.servlet.SimpleCookie;

class ApacheShiro {

    void shiroCookie(SimpleCookie cookie) {
        SimpleCookie sc = new SimpleCookie(cookie);  // Questionable
        cookie.setValue("value");  // Questionable
        cookie.getValue();  // Questionable
    }
}
// === spring ===
import org.springframework.security.web.savedrequest.SavedCookie;
import org.springframework.web.bind.annotation.CookieValue;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.Cookie;

class Spring {
    @RequestMapping("/mypage.html")
    // Questionable. “myCookie” value is read from a cookie.
    public String myPage(@CookieValue("cookieName") String myCookie) {
        return "test";
    }

    void springCookie(Cookie cookie) {
        SavedCookie savedCookie = new SavedCookie(cookie); // Questionable
        cookie.getValue(); // Questionable
    }
}
// === Play ===
import play.mvc.Http.Cookie;
import play.mvc.Http.CookieBuilder;
import scala.language;


class Play {
    void playCookie(Cookie cookie) {
        cookie.value();  // Questionable

        CookieBuilder builder = Cookie.builder("name", "value");  // Questionable
        builder.withName("name")
          .withValue("value")  // Questionable
          .build();

    }
}

See