HttpOnly_Cookie_Flag_Not_Set @ /LoginValidator.java

[cx-boris-goman]

Checkmarx (SAST): HttpOnly_Cookie_Flag_Not_Set
Security Issue: Read More about HttpOnly_Cookie_Flag_Not_Set
Checkmarx Project: cx-boris-goman/borJavaVul
Repository URL: https://github.com/cx-boris-goman/borJavaVul
Branch: main
Scan ID: df63710a-c9c2-4406-9ad7-319bd05458a4

---

The web application's processRequest method creates a cookie password, at line 30 of /LoginValidator.java, and returns it in the response. However, the application is not configured to automatically set the cookie with the "httpOnly" attribute, and the code does not explicitly add this to the cookie.

Result 1:
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. password: /LoginValidator.java[30,47]
    2. password: /LoginValidator.java[32,60]
    3. addCookie: /LoginValidator.java[32,59]
    Review result in Checkmarx One: HttpOnly_Cookie_Flag_Not_Set

Result 2:
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. username: /LoginValidator.java[29,47]
    2. username: /LoginValidator.java[31,59]
    3. addCookie: /LoginValidator.java[31,58]
    Review result in Checkmarx One: HttpOnly_Cookie_Flag_Not_Set

Result 3:
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. privilege: /LoginValidator.java[25,43]
    2. privilege: /LoginValidator.java[26,55]
    3. addCookie: /LoginValidator.java[26,54]
    Review result in Checkmarx One: HttpOnly_Cookie_Flag_Not_Set