CXX.SV.PERSISTENT_COOKIE

Illegal usage of a persistent cookie

Klocwork reports a CXX.SV.PERSISTENT_COOKIE defect when an application uses persistent cookies for tracking changes while on a website instead of using session cookies.

Vulnerability and risk

Persistent cookies remain on the client device until they are deleted or expired. An attacker could reuse persistent cookies from web application users to impersonate them or hijack their sessions. The longer a cookie persists, the higher the risk is of the cookie being used in an attack.

Mitigation and prevention

A common mitigation strategy is to ensure that after the user's session has ended, information stored in cookies is destroyed and therefore cannot be reused. Session cookies are a good tool for achieving this. Session cookies do not retain any information about a device or send information from the device. These cookies are deleted when the session expires or is terminated when the browser window is closed.

To reduce exposure to session hijacking, ensure that the cookie creation process is configured to generate a session cookie instead of a persistent cookie. Review the framework used to generate cookies to find how to generate session cookies properly. Depending on the framework used, this can involve setting an invalid date for setting the expiration date of a cookie.

Vulnerable code example 1

1
2
3
4
5
void create_cookie()
{
    QNetworkCookie cookie;
    cookie.setExpirationDate(QDateTime::currentDateTimeUtc().addSecs(60));  //CXX.SV.PERSISTENT_COOKIE
}

Klocwork reports a CXX.SV.PERSISTENT_COOKIE defect at line 4 to indicate the use of a persistent cookie because the valid date is passed to the setExpirationDate() API.

Fixed code example 1

1
2
3
4
5
void create_cookie()
{
    QNetworkCookie cookie;
    cookie.setExpirationDate(0);    //no CXX.SV.PERSISTENT_COOKIE as invalid date is passed as argument
}

Klockwork no longer reports a CXX.SV.PERSISTENT_COOKIE defect because the setExpirationDate() API is called with an invalid date. In this case, session cookie is created. If the expiration date is not present, the cookie is considered a "session cookie" and will be discarded when the application exits or when its concept of session is over.

External guidance

• CWE-539: Use of Persistent Cookies Containing Sensitive Information
• OWASP Session Management Cheat Sheet
• STIG-ID:V-222578 (APSC-DV-002240): The application must destroy the session ID value and/or cookie on logoff or browser close

Extension

This checker can be extended by adding parameters to the checker to describe the API to set expiration date for the cookie creating library. See Tuning C/C++ analysis for more information.