Merge pull request #5579 from edvraa/cookies

C#: HttpOnly and Secure cookie queries
2026-04-29 10:45:15 +02:00 · 2021-08-09 08:58:11 +02:00
parent 8bb47b91b9 e790ee7c2e
commit c1cf2a1c5f
102 changed files with 2168 additions and 23 deletions
--- a/Features/CWE-614/RequireSSL.ql
+++ b/Features/CWE-614/RequireSSL.ql
@@ -17,29 +17,8 @@ import csharp
 import semmle.code.asp.WebConfig
 import semmle.code.csharp.frameworks.system.Web

-class FormsElement extends XMLElement {
-  FormsElement() {
-    this = any(SystemWebXMLElement sw).getAChild("authentication").getAChild("forms")
-  }
-
-  string getRequireSSL() { result = getAttribute("requireSSL").getValue().trim().toLowerCase() }
-
-  predicate isRequireSSL() { getRequireSSL() = "true" }
-}
-
-class HttpCookiesElement extends XMLElement {
-  HttpCookiesElement() { this = any(SystemWebXMLElement sw).getAChild("httpCookies") }
-
-  string getRequireSSL() { result = getAttribute("requireSSL").getValue().trim().toLowerCase() }
-
-  predicate isRequireSSL() {
-    getRequireSSL() = "true"
-    or
-    not getRequireSSL() = "false" and
-    exists(FormsElement forms | forms.getFile() = getFile() | forms.isRequireSSL())
-  }
-}
-
+// the query is a subset of `cs/web/cookie-secure-not-set` and
+// should be removed once it is promoted from experimental
 from XMLElement element
 where
  element instanceof FormsElement and
--- a/Features/CWE-1004/CookieWithoutHttpOnly.qhelp
+++ b/Features/CWE-1004/CookieWithoutHttpOnly.qhelp
@@ -0,0 +1,51 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Cookies without <code>HttpOnly</code> flag are accessible to JavaScript running in the same origin. In case of
+Cross-Site Scripting (XSS) vulnerability the cookie can be stolen by malicious script.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Protect sensitive cookies, such as related to authentication, by setting <code>HttpOnly</code> to <code>true</code> to make
+them not accessible to JavaScript. In ASP.NET case it is also possible to set the attribute via <code>&lt;httpCookies&gt;</code> element
+of <code>web.config</code> with the attribute <code>httpOnlyCookies="true"</code>.
+</p>
+</recommendation>
+
+<example>
+
+<p>
+In the example below <code>Microsoft.AspNetCore.Http.CookieOptions.HttpOnly</code> is set to <code>true</code>.
+</p>
+
+<sample src="httponlyflagcore.cs" />
+
+<p>
+In the following example <code>CookiePolicyOptions</code> are set programmatically to configure defaults.
+</p>
+
+<sample src="cookiepolicyoptions.cs" />
+
+<p>
+In the example below <code>System.Web.HttpCookie.HttpOnly</code> is set to <code>true</code>.
+</p>
+
+<sample src="httponlyflag.cs" />
+
+</example>
+
+<references>
+
+<li><a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.httponly">CookieOptions.HttpOnly Property,</a></li>
+<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header,</li>
+<li><a href="https://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly(v=vs.110).aspx">HttpCookie.HttpOnly Property,</a></li>
+<li><a href="https://msdn.microsoft.com/library/ms228262%28v=vs.100%29.aspx">httpCookies Element,</a></li>
+
+</references>
+</qhelp>
--- a/Features/CWE-1004/CookieWithoutHttpOnly.ql
+++ b/Features/CWE-1004/CookieWithoutHttpOnly.ql
@@ -0,0 +1,119 @@
+/**
+ * @name 'HttpOnly' attribute is not set to true
+ * @description Omitting the 'HttpOnly' attribute for security sensitive data allows
+ *              malicious JavaScript to steal it in case of XSS vulnerability. Always set
+ *              'HttpOnly' to 'true' to authentication related cookie to make it
+ *              not accessible by JavaScript.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id cs/web/cookie-httponly-not-set
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import csharp
+import semmle.code.asp.WebConfig
+import semmle.code.csharp.frameworks.system.Web
+import semmle.code.csharp.frameworks.microsoft.AspNetCore
+import experimental.dataflow.flowsources.AuthCookie
+
+from Expr httpOnlySink
+where
+  exists(Assignment a, Expr val |
+    httpOnlySink = a.getRValue() and
+    val.getValue() = "false" and
+    (
+      exists(ObjectCreation oc |
+        getAValueForProp(oc, a, "HttpOnly") = val and
+        (
+          oc.getType() instanceof SystemWebHttpCookie and
+          isCookieWithSensitiveName(oc.getArgument(0))
+          or
+          exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
+            oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+            iResponse.getAppendMethod() = mc.getTarget() and
+            isCookieWithSensitiveName(mc.getArgument(0)) and
+            // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
+            not exists(
+              OnAppendCookieHttpOnlyTrackingConfig config, DataFlow::Node source,
+              DataFlow::Node sink
+            |
+              config.hasFlow(source, sink)
+            ) and
+            // Passed as third argument to `IResponseCookies.Append`
+            exists(
+              CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
+              DataFlow::Node append
+            |
+              cookieTracking.hasFlow(creation, append) and
+              creation.asExpr() = oc and
+              append.asExpr() = mc.getArgument(2)
+            )
+          )
+        )
+      )
+      or
+      exists(PropertyWrite pw |
+        (
+          pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
+          pw.getProperty().getDeclaringType() instanceof
+            MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
+        ) and
+        pw.getProperty().getName() = "HttpOnly" and
+        a.getLValue() = pw and
+        DataFlow::localExprFlow(val, a.getRValue())
+      )
+    )
+  )
+  or
+  exists(Call c |
+    httpOnlySink = c and
+    (
+      exists(MicrosoftAspNetCoreHttpResponseCookies iResponse, MethodCall mc |
+        // default is not configured or is not set to `Always`
+        not getAValueForCookiePolicyProp("HttpOnly").getValue() = "1" and
+        // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
+        not exists(
+          OnAppendCookieHttpOnlyTrackingConfig config, DataFlow::Node source, DataFlow::Node sink
+        |
+          config.hasFlow(source, sink)
+        ) and
+        iResponse.getAppendMethod() = mc.getTarget() and
+        isCookieWithSensitiveName(mc.getArgument(0)) and
+        (
+          // `HttpOnly` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
+          exists(ObjectCreation oc |
+            oc = c and
+            oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+            not isPropertySet(oc, "HttpOnly") and
+            exists(
+              CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
+              DataFlow::Node append
+            |
+              cookieTracking.hasFlow(creation, append) and
+              creation.asExpr() = oc
+            )
+          )
+          or
+          // IResponseCookies.Append(String, String) was called, `HttpOnly` is set to `false` by default
+          mc = c and
+          mc.getNumberOfArguments() < 3
+        )
+      )
+      or
+      exists(ObjectCreation oc |
+        oc = c and
+        oc.getType() instanceof SystemWebHttpCookie and
+        isCookieWithSensitiveName(oc.getArgument(0)) and
+        // the property wasn't explicitly set, so a default value from config is used
+        not isPropertySet(oc, "HttpOnly") and
+        // the default in config is not set to `true`
+        not exists(XMLElement element |
+          element instanceof HttpCookiesElement and
+          element.(HttpCookiesElement).isHttpOnlyCookies()
+        )
+      )
+    )
+  )
+select httpOnlySink, "Cookie attribute 'HttpOnly' is not set to true."
--- a/Features/CWE-1004/cookiepolicyoptions.cs
+++ b/Features/CWE-1004/cookiepolicyoptions.cs
@@ -0,0 +1,12 @@
+public class Startup
+{
+    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseCookiePolicy(new CookiePolicyOptions()
+        {
+            Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always,
+            HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always
+        });
+    }
+}
--- a/csharp/ql/src/experimental/Security
+++ b/csharp/ql/src/experimental/Security
@@ -0,0 +1,7 @@
+class MyController : Controller
+{
+    void Login()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName") { HttpOnly = true };
+    }
+}
--- a/Features/CWE-1004/httponlyflagcore.cs
+++ b/Features/CWE-1004/httponlyflagcore.cs
@@ -0,0 +1,8 @@
+class MyController : Controller
+{
+    void Login()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = true };
+        Response.Cookies.Append("auth", "secret", cookieOptions);
+    }
+}
--- a/Features/CWE-614/CookieWithoutSecure.qhelp
+++ b/Features/CWE-614/CookieWithoutSecure.qhelp
@@ -0,0 +1,55 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Sensitive data that is transmitted using HTTP is vulnerable to being read by a third party. By default,
+cookies are sent via HTTP, not HTTPS.
+</p>
+</overview>
+
+<recommendation>
+<p>
+In ASP.NET case when using cookies ensure that HTTPS is used by setting the property <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> to <code>true</code>.
+</p>
+<p>
+In ASP.NET Core case when using cookies, ensure that HTTPS is used, either via the <code>&lt;forms&gt;</code> attribute above, or
+the <code>&lt;httpCookies&gt;</code> element, with the attribute <code>requireSSL="true"</code>. It is also possible to require cookies
+to use HTTPS programmatically, by setting the property <code>System.Web.HttpCookie.Secure</code> to <code>true</code>.
+</p>
+</recommendation>
+
+<example>
+
+<p>
+In the example below <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> is set to <code>true</code> programmatically.
+</p>
+
+<sample src="secureflagcore.cs" />
+
+<p>
+In the following example <code>CookiePolicyOptions</code> are set programmatically to configure defaults.
+</p>
+
+<sample src="cookiepolicyoptions.cs" />
+
+<p>
+In the example below <code>System.Web.HttpCookie.Secure</code> is set to <code>true</code> programmatically.
+</p>
+
+<sample src="secureflag.cs" />
+
+</example>
+
+<references>
+
+<li><a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.secure">CookieOptions.Secure Property,</a></li>
+<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header,</li>
+<li><a href="https://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl(v=vs.110).aspx">FormsAuthentication.RequireSSL Property,</a></li>
+<li><a href="https://msdn.microsoft.com/en-us/library/1d3t3c61(v=vs.100).aspx">forms Element for authentication,</a></li>
+<li><a href="https://msdn.microsoft.com/library/ms228262%28v=vs.100%29.aspx">httpCookies Element,</a></li>
+
+</references>
+</qhelp>
--- a/Features/CWE-614/CookieWithoutSecure.ql
+++ b/Features/CWE-614/CookieWithoutSecure.ql
@@ -0,0 +1,118 @@
+/**
+ * @name 'Secure' attribute is not set to true
+ * @description Omitting the 'Secure' attribute allows data to be transmitted insecurely
+ *              using HTTP. Always set 'Secure' to 'true' to ensure that HTTPS
+ *              is used at all times.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id cs/web/cookie-secure-not-set
+ * @tags security
+ *       external/cwe/cwe-319
+ *       external/cwe/cwe-614
+ */
+
+import csharp
+import semmle.code.asp.WebConfig
+import semmle.code.csharp.frameworks.system.Web
+import semmle.code.csharp.frameworks.microsoft.AspNetCore
+import experimental.dataflow.flowsources.AuthCookie
+
+from Expr secureSink
+where
+  exists(Call c |
+    secureSink = c and
+    (
+      // default is not configured or is not set to `Always` or `SameAsRequest`
+      not (
+        getAValueForCookiePolicyProp("Secure").getValue() = "0" or
+        getAValueForCookiePolicyProp("Secure").getValue() = "1"
+      ) and
+      // there is no callback `OnAppendCookie` that sets `Secure` to true
+      not exists(
+        OnAppendCookieSecureTrackingConfig config, DataFlow::Node source, DataFlow::Node sink
+      |
+        config.hasFlow(source, sink)
+      ) and
+      (
+        // `Secure` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
+        exists(ObjectCreation oc |
+          oc = c and
+          oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+          not isPropertySet(oc, "Secure") and
+          exists(
+            CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
+            DataFlow::Node append
+          |
+            cookieTracking.hasFlow(creation, append) and
+            creation.asExpr() = oc
+          )
+        )
+        or
+        // IResponseCookies.Append(String, String) was called, `Secure` is set to `false` by default
+        exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
+          mc = c and
+          iResponse.getAppendMethod() = mc.getTarget() and
+          mc.getNumberOfArguments() < 3
+        )
+      )
+      or
+      exists(ObjectCreation oc |
+        oc = c and
+        oc.getType() instanceof SystemWebHttpCookie and
+        // the property wasn't explicitly set, so a default value from config is used
+        not isPropertySet(oc, "Secure") and
+        // the default in config is not set to `true`
+        // the `exists` below covers the `cs/web/requiressl-not-set`
+        not exists(XMLElement element |
+          element instanceof FormsElement and
+          element.(FormsElement).isRequireSSL()
+          or
+          element instanceof HttpCookiesElement and
+          element.(HttpCookiesElement).isRequireSSL()
+        )
+      )
+    )
+  )
+  or
+  exists(Assignment a, Expr val |
+    secureSink = a.getRValue() and
+    (
+      exists(ObjectCreation oc |
+        getAValueForProp(oc, a, "Secure") = val and
+        val.getValue() = "false" and
+        (
+          oc.getType() instanceof SystemWebHttpCookie
+          or
+          oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+          // there is no callback `OnAppendCookie` that sets `Secure` to true
+          not exists(
+            OnAppendCookieSecureTrackingConfig config, DataFlow::Node source, DataFlow::Node sink
+          |
+            config.hasFlow(source, sink)
+          ) and
+          // the cookie option is passed to `Append`
+          exists(
+            CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
+            DataFlow::Node append
+          |
+            cookieTracking.hasFlow(creation, append) and
+            creation.asExpr() = oc
+          )
+        )
+      )
+      or
+      exists(PropertyWrite pw |
+        (
+          pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
+          pw.getProperty().getDeclaringType() instanceof
+            MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
+        ) and
+        pw.getProperty().getName() = "SecurePolicy" and
+        a.getLValue() = pw and
+        DataFlow::localExprFlow(val, a.getRValue()) and
+        val.getValue() = "2" // None
+      )
+    )
+  )
+select secureSink, "Cookie attribute 'Secure' is not set to true."
--- a/csharp/ql/src/experimental/Security
+++ b/csharp/ql/src/experimental/Security
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <authentication>
+      <forms
+        requireSSL="true"
+        ... />
+    </authentication>
+    <httpCookies
+        requireSSL="true"
+        ... />
+  </system.web>
+</configuration>
--- a/Features/CWE-614/cookiepolicyoptions.cs
+++ b/Features/CWE-614/cookiepolicyoptions.cs
@@ -0,0 +1,12 @@
+public class Startup
+{
+    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseCookiePolicy(new CookiePolicyOptions()
+        {
+            Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always,
+            HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always
+        });
+    }
+}
--- a/csharp/ql/src/experimental/Security
+++ b/csharp/ql/src/experimental/Security
@@ -0,0 +1,7 @@
+class MyController : Controller
+{
+    void Login()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true };
+    }
+}
--- a/csharp/ql/src/experimental/Security
+++ b/csharp/ql/src/experimental/Security
@@ -0,0 +1,8 @@
+class MyController : Controller
+{
+    void Login()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = true };
+        Response.Cookies.Append("auth", "secret", cookieOptions);
+    }
+}
--- a/csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll
+++ b/csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll
@@ -0,0 +1,182 @@
+/**
+ * Provides classes and predicates for detecting insecure cookies.
+ */
+
+import csharp
+import semmle.code.csharp.frameworks.microsoft.AspNetCore
+
+/**
+ * Holds if the expression is a variable with a sensitive name.
+ */
+predicate isCookieWithSensitiveName(Expr cookieExpr) {
+  exists(AuthCookieNameConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink |
+    dataflow.hasFlow(source, sink) and
+    sink.asExpr() = cookieExpr
+  )
+}
+
+/**
+ * Tracks if a variable with a sensitive name is used as an argument.
+ */
+private class AuthCookieNameConfiguration extends DataFlow::Configuration {
+  AuthCookieNameConfiguration() { this = "AuthCookieNameConfiguration" }
+
+  private predicate isAuthVariable(Expr expr) {
+    exists(string val |
+      (
+        val = expr.getValue() or
+        val = expr.(Access).getTarget().getName()
+      ) and
+      val.regexpMatch("(?i).*(session|login|token|user|auth|credential).*") and
+      not val.regexpMatch("(?i).*(xsrf|csrf|forgery).*")
+    )
+  }
+
+  override predicate isSource(DataFlow::Node source) { isAuthVariable(source.asExpr()) }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(Call c | sink.asExpr() = c.getAnArgument())
+  }
+}
+
+/**
+ * Tracks creation of `CookieOptions` to `IResponseCookies.Append(String, String, CookieOptions)` call as a third parameter.
+ */
+class CookieOptionsTrackingConfiguration extends DataFlow::Configuration {
+  CookieOptionsTrackingConfiguration() { this = "CookieOptionsTrackingConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr().(ObjectCreation).getType() instanceof MicrosoftAspNetCoreHttpCookieOptions
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MicrosoftAspNetCoreHttpResponseCookies iResponse, MethodCall mc |
+      iResponse.getAppendMethod() = mc.getTarget() and
+      mc.getArgument(2) = sink.asExpr()
+    )
+  }
+}
+
+/**
+ * Looks for property value of `CookiePolicyOptions` passed to `app.UseCookiePolicy` in `Startup.Configure`.
+ */
+Expr getAValueForCookiePolicyProp(string prop) {
+  exists(Method m, MethodCall mc, ObjectCreation oc, Assignment a, Expr val |
+    m.getName() = "Configure" and
+    m.getDeclaringType().getName() = "Startup" and
+    m.getBody().getAChild+() = mc and
+    mc.getTarget() =
+      any(MicrosoftAspNetCoreBuilderCookiePolicyAppBuilderExtensions e).getUseCookiePolicyMethod() and
+    oc.getType() instanceof MicrosoftAspNetCoreBuilderCookiePolicyOptions and
+    getAValueForProp(oc, a, prop) = val and
+    result = val
+  )
+}
+
+/**
+ * A simplistic points-to alternative: given an object creation and a property name, get the values that property can be assigned.
+ *
+ * Assumptions:
+ *    - we don't reassign the variable that the creation is stored in
+ *    - we always access the creation through the same variable it is initially assigned to
+ *
+ * This should cover most typical patterns...
+ */
+Expr getAValueForProp(ObjectCreation create, Assignment a, string prop) {
+  // values set in object init
+  exists(MemberInitializer init, Expr src, PropertyAccess pa |
+    a.getLValue() = pa and
+    pa.getTarget().hasName(prop) and
+    init = create.getInitializer().(ObjectInitializer).getAMemberInitializer() and
+    init.getLValue() = pa and
+    DataFlow::localExprFlow(src, init.getRValue()) and
+    result = src
+  )
+  or
+  // values set on var that create is assigned to
+  exists(Expr src, PropertyAccess pa |
+    a.getLValue() = pa and
+    pa.getTarget().hasName(prop) and
+    DataFlow::localExprFlow(create, pa.getQualifier()) and
+    DataFlow::localExprFlow(src, a.getRValue()) and
+    result = src
+  )
+}
+
+/**
+ * Checks if the given property was explicitly set to a value.
+ */
+predicate isPropertySet(ObjectCreation oc, string prop) { exists(getAValueForProp(oc, _, prop)) }
+
+/**
+ * Tracks if a callback used in `OnAppendCookie` sets `Secure` to `true`.
+ */
+class OnAppendCookieSecureTrackingConfig extends OnAppendCookieTrackingConfig {
+  OnAppendCookieSecureTrackingConfig() { this = "OnAppendCookieSecureTrackingConfig" }
+
+  override string propertyName() { result = "Secure" }
+}
+
+/**
+ * Tracks if a callback used in `OnAppendCookie` sets `HttpOnly` to `true`.
+ */
+class OnAppendCookieHttpOnlyTrackingConfig extends OnAppendCookieTrackingConfig {
+  OnAppendCookieHttpOnlyTrackingConfig() { this = "OnAppendCookieHttpOnlyTrackingConfig" }
+
+  override string propertyName() { result = "HttpOnly" }
+}
+
+/**
+ * Tracks if a callback used in `OnAppendCookie` sets a cookie property to `true`.
+ */
+abstract private class OnAppendCookieTrackingConfig extends DataFlow::Configuration {
+  bindingset[this]
+  OnAppendCookieTrackingConfig() { any() }
+
+  /**
+   * Specifies the cookie property name to track.
+   */
+  abstract string propertyName();
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(PropertyWrite pw, Assignment delegateAssign, Callable c |
+      pw.getProperty().getName() = "OnAppendCookie" and
+      pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreBuilderCookiePolicyOptions and
+      delegateAssign.getLValue() = pw and
+      (
+        exists(LambdaExpr lambda |
+          delegateAssign.getRValue() = lambda and
+          lambda = c
+        )
+        or
+        exists(DelegateCreation delegate |
+          delegateAssign.getRValue() = delegate and
+          delegate.getArgument().(CallableAccess).getTarget() = c
+        )
+      ) and
+      c.getParameter(0) = source.asParameter()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(PropertyWrite pw, Assignment a |
+      pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+      pw.getProperty().getName() = propertyName() and
+      a.getLValue() = pw and
+      exists(Expr val |
+        DataFlow::localExprFlow(val, a.getRValue()) and
+        val.getValue() = "true"
+      ) and
+      sink.asExpr() = pw.getQualifier()
+    )
+  }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    node2.asExpr() =
+      any(PropertyRead pr |
+        pr.getQualifier() = node1.asExpr() and
+        pr.getProperty().getDeclaringType() instanceof
+          MicrosoftAspNetCoreCookiePolicyAppendCookieContext
+      )
+  }
+}
--- a/csharp/ql/src/semmle/code/asp/WebConfig.qll
+++ b/csharp/ql/src/semmle/code/asp/WebConfig.qll
@@ -63,3 +63,52 @@ class HttpRuntimeXMLElement extends XMLElement {
    this.getName().toLowerCase() = "httpruntime"
  }
 }
+
+/** A `<forms>` tag under `<system.web><authentication>` in an ASP.NET configuration file. */
+class FormsElement extends XMLElement {
+  FormsElement() {
+    this = any(SystemWebXMLElement sw).getAChild("authentication").getAChild("forms")
+  }
+
+  /**
+   * Gets attribute's `requireSSL` value.
+   */
+  string getRequireSSL() { result = getAttribute("requireSSL").getValue().trim().toLowerCase() }
+
+  /**
+   * Holds if `requireSSL` value is true.
+   */
+  predicate isRequireSSL() { getRequireSSL() = "true" }
+}
+
+/** A `<httpCookies>` tag in an ASP.NET configuration file. */
+class HttpCookiesElement extends XMLElement {
+  HttpCookiesElement() { this = any(SystemWebXMLElement sw).getAChild("httpCookies") }
+
+  /**
+   * Gets attribute's `httpOnlyCookies` value.
+   */
+  string getHttpOnlyCookies() {
+    result = getAttribute("httpOnlyCookies").getValue().trim().toLowerCase()
+  }
+
+  /**
+   * Holds if there is any chance that `httpOnlyCookies` is set to `true`.
+   */
+  predicate isHttpOnlyCookies() { getHttpOnlyCookies() = "true" }
+
+  /**
+   * Gets attribute's `requireSSL` value.
+   */
+  string getRequireSSL() { result = getAttribute("requireSSL").getValue().trim().toLowerCase() }
+
+  /**
+   * Holds if there is any chance that `requireSSL` is set to `true` either globally or for Forms.
+   */
+  predicate isRequireSSL() {
+    getRequireSSL() = "true"
+    or
+    not getRequireSSL() = "false" and // not set all, i.e. default
+    exists(FormsElement forms | forms.getFile() = getFile() | forms.isRequireSSL())
+  }
+}
--- a/csharp/ql/src/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll
+++ b/csharp/ql/src/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll
@@ -298,6 +298,52 @@ class MicrosoftAspNetCoreHttpHeaderDictionaryExtensions extends RefType {
  Method getSetCommaSeparatedValuesMethod() { result = this.getAMethod("SetCommaSeparatedValues") }
 }

+/** The `Microsoft.AspNetCore.Http.CookieOptions` class. */
+class MicrosoftAspNetCoreHttpCookieOptions extends RefType {
+  MicrosoftAspNetCoreHttpCookieOptions() {
+    this.hasQualifiedName("Microsoft.AspNetCore.Http", "CookieOptions")
+  }
+}
+
+/** The `Microsoft.AspNetCore.Http.CookieBuilder` class. */
+class MicrosoftAspNetCoreHttpCookieBuilder extends RefType {
+  MicrosoftAspNetCoreHttpCookieBuilder() {
+    this.hasQualifiedName("Microsoft.AspNetCore.Http", "CookieBuilder")
+  }
+}
+
+/** The `Microsoft.AspNetCore.Builder.CookiePolicyOptions` class. */
+class MicrosoftAspNetCoreBuilderCookiePolicyOptions extends RefType {
+  MicrosoftAspNetCoreBuilderCookiePolicyOptions() {
+    this.hasQualifiedName("Microsoft.AspNetCore.Builder", "CookiePolicyOptions")
+  }
+}
+
+/** The `Microsoft.AspNetCore.CookiePolicy.AppendCookieContext` class. */
+class MicrosoftAspNetCoreCookiePolicyAppendCookieContext extends RefType {
+  MicrosoftAspNetCoreCookiePolicyAppendCookieContext() {
+    this.hasQualifiedName("Microsoft.AspNetCore.CookiePolicy", "AppendCookieContext")
+  }
+}
+
+/** The `Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationOptions` class. */
+class MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions extends RefType {
+  MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions() {
+    this.hasQualifiedName("Microsoft.AspNetCore.Authentication.Cookies",
+      "CookieAuthenticationOptions")
+  }
+}
+
+/** The `Microsoft.AspNetCore.Builder.CookiePolicyAppBuilderExtensions` class. */
+class MicrosoftAspNetCoreBuilderCookiePolicyAppBuilderExtensions extends RefType {
+  MicrosoftAspNetCoreBuilderCookiePolicyAppBuilderExtensions() {
+    this.hasQualifiedName("Microsoft.AspNetCore.Builder", "CookiePolicyAppBuilderExtensions")
+  }
+
+  /** Gets the `UseCookiePolicy` extension method. */
+  Method getUseCookiePolicyMethod() { result = this.getAMethod("UseCookiePolicy") }
+}
+
 /**
 * The `Microsoft.AspNetCore.Html.HtmlString` class, supposed to wrap HTML-encoded string in ASP.NET Core
 * Untrusted and unsanitized data should never flow there.
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/HttpOnly.expected
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/HttpOnly.expected
@@ -0,0 +1,2 @@
+| Program.cs:15:33:15:37 | false | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:22:39:22:43 | false | Cookie attribute 'HttpOnly' is not set to true. |
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/HttpOnly.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/Program.cs
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/Program.cs
@@ -0,0 +1,25 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Authentication.Cookies.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Authentication.cs ${testdir}/../../../../../resources/stubs/Microsoft.Extensions.DependencyInjection.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.CookiePolicy.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Hosting.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Http.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Mvc.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Builder.cs
+
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Authentication;
+
+public class Startup
+{
+    public void ConfigureServices(IServiceCollection services)
+    {
+        services.AddAuthentication().AddCookie(o =>
+        {
+            o.Cookie.HttpOnly = false;
+            o.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None;
+        });
+
+        services.AddSession(options =>
+        {
+            options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None;
+            options.Cookie.HttpOnly = false;
+        });
+    }
+}
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.expected
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.expected
@@ -0,0 +1,4 @@
+| Program.cs:27:34:27:38 | false | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:40:88:40:92 | false | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:63:34:63:34 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:70:88:70:88 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/Program.cs
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/Program.cs
@@ -0,0 +1,73 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Http.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Mvc.cs
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDelete()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Delete("auth", cookieOptions); // GOOD: Delete call
+    }
+
+    void CookieDirectTrue()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.HttpOnly = true;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = true };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
+    }
+
+    void CookieDirectFalse()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.HttpOnly = false;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+    }
+
+    void CookieDirectFalseForgery()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.HttpOnly = false;
+        Response.Cookies.Append("antiforgerytoken", "secret", cookieOptions); // GOOD: not an auth cookie
+    }
+
+    void CookieDirectFalseInitializer()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = false };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        bool v = true;
+        cookieOptions.HttpOnly = v;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateFalse()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        bool v = false;
+        cookieOptions.HttpOnly = v;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+    }
+
+    void CookieIntermediateFalseInitializer()
+    {
+        bool v = false;
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+    }
+}
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/HttpOnly.expected
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/HttpOnly.expected
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/Program.cs
+++ b/Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/Program.cs
@@ -0,0 +1,39 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Authentication.Cookies.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Authentication.cs ${testdir}/../../../../../resources/stubs/Microsoft.Extensions.DependencyInjection.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.CookiePolicy.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Hosting.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Http.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Mvc.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Builder.cs
+
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.Http;
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.HttpOnly = false;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: HttpOnly is set in callback
+    }
+}
+
+public class Startup
+{
+    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseCookiePolicy();
+    }
+
+    public void ConfigureServices(IServiceCollection services)
+    {
+        services.Configure<CookiePolicyOptions>(options =>
+        {
+            options.OnAppendCookie = cookieContext => SetCookies(cookieContext.CookieOptions);
+        });
+    }
+
+    private void SetCookies(CookieOptions options)
+    {
+        options.Secure = true;
+        options.HttpOnly = true;
+    }
+}
--- a/Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.expected
+++ b/Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.expected
@@ -0,0 +1,4 @@
+| Program.cs:25:27:25:31 | false | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:30:74:30:78 | false | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:50:27:50:27 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:56:74:56:74 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |
--- a/Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/Program.cs
+++ b/Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/Program.cs
@@ -0,0 +1,58 @@
+// semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll
+
+class Program
+{
+    void CookieDirectTrue()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        cookie.HttpOnly = true;  // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = true }; // GOOD
+    }
+
+    void CookieForgeryDirectFalse()
+    {
+        var cookie = new System.Web.HttpCookie("antiforgerytoken");
+        cookie.HttpOnly = false; // GOOD: not an auth cookie
+    }
+
+    void CookieDirectFalse()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        cookie.HttpOnly = false; // BAD
+    }
+
+    void CookieDirectFalseInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = false }; // BAD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        bool v = true;
+        cookie.HttpOnly = v; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateFalse()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        bool v = false;
+        cookie.HttpOnly = v; // BAD
+    }
+
+    void CookieIntermediateFalseInitializer()
+    {
+        bool v = false;
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // BAD
+    }
+}
--- a/Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/Web.config
+++ b/Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/Web.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpCookies />
+  </system.web>
+</configuration>
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.expected
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.expected
@@ -0,0 +1,2 @@
+| Program.cs:7:9:7:49 | call to method Append | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:17:29:17:73 | object creation of type CookieOptions | Cookie attribute 'HttpOnly' is not set to true. |
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/Program.cs
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/Program.cs
@@ -0,0 +1,54 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Http.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Mvc.cs
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        Response.Cookies.Append("auth", "secret"); // BAD: HttpOnly is set to false by default
+    }
+
+    public void CookieDefaultForgery()
+    {
+        Response.Cookies.Append("antiforgerytoken", "secret"); // GOOD: not an auth cookie
+    }
+
+    public void CookieDefault2()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD: HttpOnly is set to false by default
+    }
+
+    public void CookieDelete()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Delete("auth", cookieOptions); // GOOD: Delete call
+    }
+
+    void CookieDirectTrue()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.HttpOnly = true;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = true };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        bool v = true;
+        cookieOptions.HttpOnly = v;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
+    }
+}
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/HttpOnly.expected
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/HttpOnly.expected
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/HttpOnly.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/Program.cs
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/Program.cs
@@ -0,0 +1,27 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.CookiePolicy.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Hosting.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Http.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Mvc.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Builder.cs
+
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        Response.Cookies.Append("auth", "secret"); // GOOD: HttpOnly is set in policy
+    }
+
+    public void CookieDefault2()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: HttpOnly is set in policy
+    }
+}
+
+public class Startup
+{
+    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseCookiePolicy(new CookiePolicyOptions() { HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always});
+    }
+}
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/HttpOnly.expected
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/HttpOnly.expected
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/Program.cs
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/Program.cs
@@ -0,0 +1,38 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Authentication.Cookies.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Authentication.cs ${testdir}/../../../../../resources/stubs/Microsoft.Extensions.DependencyInjection.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.CookiePolicy.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Hosting.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Http.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Mvc.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Builder.cs
+
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.Http;
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: HttpOnly is set in callback
+    }
+}
+
+public class Startup
+{
+    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseCookiePolicy();
+    }
+
+    public void ConfigureServices(IServiceCollection services)
+    {
+        services.Configure<CookiePolicyOptions>(options =>
+        {
+            options.OnAppendCookie = cookieContext => SetCookies(cookieContext.CookieOptions);
+        });
+    }
+
+    private void SetCookies(CookieOptions options)
+    {
+        options.Secure = true;
+        options.HttpOnly = true;
+    }
+}
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/HttpOnly.expected
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/HttpOnly.expected
@@ -0,0 +1,2 @@
+| Program.cs:10:9:10:49 | call to method Append | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:15:29:15:73 | object creation of type CookieOptions | Cookie attribute 'HttpOnly' is not set to true. |
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/HttpOnly.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/Program.cs
+++ b/Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/Program.cs
@@ -0,0 +1,27 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.CookiePolicy.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Hosting.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Http.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Mvc.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Builder.cs
+
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        Response.Cookies.Append("auth", "secret"); // Bad: HttpOnly policy set to None
+    }
+
+    public void CookieDefault2()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Append("auth", "secret", cookieOptions); // Bad: HttpOnly policy set to None
+    }
+}
+
+public class Startup
+{
+    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseCookiePolicy(new CookiePolicyOptions() { HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None});
+    }
+}
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/HttpOnly.expected
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/HttpOnly.expected
@@ -0,0 +1 @@
+| Program.cs:7:22:7:59 | object creation of type HttpCookie | Cookie attribute 'HttpOnly' is not set to true. |
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/HttpOnly.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/Program.cs
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/Program.cs
@@ -0,0 +1,38 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll
+
+class Program
+{
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID"); // BAD: httpOnlyCookies is set to false by default
+    }
+
+    void CookieDefaultForgery()
+    {
+        var cookie = new System.Web.HttpCookie("anticsrftoken"); // GOOD: not an auth cookie
+    }
+
+    void CookieDirectTrue()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        cookie.HttpOnly = true;  // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = true }; // GOOD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        bool v = true;
+        cookie.HttpOnly = v; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // GOOD: should track local data flow
+    }
+}
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/Web.config
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/Web.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpCookies />
+  </system.web>
+</configuration>
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/HttpOnly.expected
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/HttpOnly.expected
@@ -0,0 +1 @@
+| Program.cs:7:22:7:59 | object creation of type HttpCookie | Cookie attribute 'HttpOnly' is not set to true. |
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/HttpOnly.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/Program.cs
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/Program.cs
@@ -0,0 +1,38 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll
+
+class Program
+{
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID"); // BAD: httpOnlyCookies is set to false in config
+    }
+
+    void CookieDefaultForgery()
+    {
+        var cookie = new System.Web.HttpCookie("anticsrftoken"); // GOOD: not an auth cookie
+    }
+
+    void CookieDirectTrue()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        cookie.HttpOnly = true;  // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = true }; // GOOD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        bool v = true;
+        cookie.HttpOnly = v; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // GOOD: should track local data flow
+    }
+}
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/Web.config
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/Web.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpCookies httpOnlyCookies="false" />
+  </system.web>
+</configuration>
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/HttpOnly.expected
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/HttpOnly.expected
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/HttpOnly.qlref
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/HttpOnly.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/Program.cs
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/Program.cs
@@ -0,0 +1,38 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll
+
+class Program
+{
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID"); // GOOD: httpOnlyCookies is set to true in config
+    }
+
+    void CookieDefaultForgery()
+    {
+        var cookie = new System.Web.HttpCookie("anticsrftoken"); // GOOD: not an auth cookie
+    }
+
+    void CookieDirectTrue()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        cookie.HttpOnly = true;  // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = true }; // GOOD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID");
+        bool v = true;
+        cookie.HttpOnly = v; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // GOOD: should track local data flow
+    }
+}
--- a/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/Web.config
+++ b/Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/Web.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpCookies httpOnlyCookies="true" />
+  </system.web>
+</configuration>
--- a/Features/CWE-614/RequireSSLAspNetCore/NoPolicy/Program.cs
+++ b/Features/CWE-614/RequireSSLAspNetCore/NoPolicy/Program.cs
@@ -0,0 +1,49 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Http.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Mvc.cs
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        Response.Cookies.Append("name", "value"); // BAD: requireSSL is set to false by default
+    }
+
+    public void CookieDefault2()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Append("name", "value", cookieOptions); // BAD: requireSSL is set to false by default
+    }
+
+    public void CookieDelete()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Delete("name", cookieOptions); // GOOD: Delete call
+    }
+
+    void CookieDirectTrue()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.Secure = true;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = true };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        bool v = true;
+        cookieOptions.Secure = v;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
+    }
+}
--- a/Features/CWE-614/RequireSSLAspNetCore/NoPolicy/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLAspNetCore/NoPolicy/RequireSSL.expected
@@ -0,0 +1,2 @@
+| Program.cs:7:9:7:48 | call to method Append | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:12:29:12:73 | object creation of type CookieOptions | Cookie attribute 'Secure' is not set to true. |
--- a/Features/CWE-614/RequireSSLAspNetCore/NoPolicy/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLAspNetCore/NoPolicy/RequireSSL.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/Program.cs
+++ b/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/Program.cs
@@ -0,0 +1,27 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.CookiePolicy.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Hosting.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Http.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Mvc.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Builder.cs
+
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        Response.Cookies.Append("auth", "secret"); // GOOD: Secure is set in policy
+    }
+
+    public void CookieDefault2()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: Secure is set in policy
+    }
+}
+
+public class Startup
+{
+    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseCookiePolicy(new CookiePolicyOptions() { Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always });
+    }
+}
--- a/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/RequireSSL.expected
--- a/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/RequireSSL.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/Program.cs
+++ b/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/Program.cs
@@ -0,0 +1,43 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Authentication.Cookies.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Authentication.cs ${testdir}/../../../../../resources/stubs/Microsoft.Extensions.DependencyInjection.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.CookiePolicy.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Hosting.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Http.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Mvc.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Builder.cs
+
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.Http;
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        Response.Cookies.Append("auth", "secret"); // GOOD: Secure is set in callback
+    }
+
+    public void CookieDefault2()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: Secure is set in callback
+    }
+}
+
+public class Startup
+{
+    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseCookiePolicy();
+    }
+
+    public void ConfigureServices(IServiceCollection services)
+    {
+        services.Configure<CookiePolicyOptions>(options =>
+        {
+            options.OnAppendCookie = cookieContext => SetCookies(cookieContext.CookieOptions);
+        });
+    }
+
+    private void SetCookies(CookieOptions options)
+    {
+        options.Secure = true;
+        options.HttpOnly = true;
+    }
+}
--- a/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/RequireSSL.expected
--- a/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/RequireSSL.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/Program.cs
+++ b/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/Program.cs
@@ -0,0 +1,27 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.CookiePolicy.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Hosting.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Http.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Mvc.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Builder.cs
+
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        Response.Cookies.Append("auth", "secret"); // Bad: Secure policy set to None
+    }
+
+    public void CookieDefault2()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Append("auth", "secret", cookieOptions); // Bad: Secure policy set to None
+    }
+}
+
+public class Startup
+{
+    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseCookiePolicy(new CookiePolicyOptions() { Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.None });
+    }
+}
--- a/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/RequireSSL.expected
@@ -0,0 +1,2 @@
+| Program.cs:10:9:10:49 | call to method Append | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:15:29:15:73 | object creation of type CookieOptions | Cookie attribute 'Secure' is not set to true. |
--- a/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/RequireSSL.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/Program.cs
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/Program.cs
@@ -0,0 +1,25 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Authentication.Cookies.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Authentication.cs ${testdir}/../../../../../resources/stubs/Microsoft.Extensions.DependencyInjection.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.CookiePolicy.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Hosting.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Http.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Mvc.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Builder.cs
+
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Authentication;
+
+public class Startup
+{
+    public void ConfigureServices(IServiceCollection services)
+    {
+        services.AddAuthentication().AddCookie(o =>
+        {
+            o.Cookie.HttpOnly = false;
+            o.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None;
+        });
+
+        services.AddSession(options =>
+        {
+            options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None;
+            options.Cookie.HttpOnly = false;
+        });
+    }
+}
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/RequireSSL.expected
@@ -0,0 +1,2 @@
+| Program.cs:16:37:16:85 | access to constant None | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:21:43:21:91 | access to constant None | Cookie attribute 'Secure' is not set to true. |
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/RequireSSL.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/Program.cs
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/Program.cs
@@ -0,0 +1,66 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Http.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Mvc.cs
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDelete()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        Response.Cookies.Delete("name", cookieOptions); // GOOD: Delete call
+    }
+
+    void CookieDirectTrue()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.Secure = true;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = true };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
+    }
+
+    void CookieDirectFalse()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.Secure = false;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+    }
+
+    void CookieDirectFalseInitializer()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = false };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        bool v = true;
+        cookieOptions.Secure = v;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateFalse()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        bool v = false;
+        cookieOptions.Secure = v;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+    }
+
+    void CookieIntermediateFalseInitializer()
+    {
+        bool v = false;
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v };
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+    }
+}
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/RequireSSL.expected
@@ -0,0 +1,4 @@
+| Program.cs:27:32:27:36 | false | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:33:86:33:90 | false | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:56:32:56:32 | access to local variable v | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:63:86:63:86 | access to local variable v | Cookie attribute 'Secure' is not set to true. |
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/RequireSSL.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/Program.cs
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/Program.cs
@@ -0,0 +1,39 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Authentication.Cookies.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Authentication.cs ${testdir}/../../../../../resources/stubs/Microsoft.Extensions.DependencyInjection.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.CookiePolicy.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Hosting.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Http.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Mvc.cs ${testdir}/../../../../../resources/stubs/Microsoft.AspNetCore.Builder.cs
+
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.Http;
+
+public class MyController : Microsoft.AspNetCore.Mvc.Controller
+{
+    public void CookieDefault()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.Secure = false;
+        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: Secure is set in callback
+    }
+}
+
+public class Startup
+{
+    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseCookiePolicy();
+    }
+
+    public void ConfigureServices(IServiceCollection services)
+    {
+        services.Configure<CookiePolicyOptions>(options =>
+        {
+            options.OnAppendCookie = cookieContext => SetCookies(cookieContext.CookieOptions);
+        });
+    }
+
+    private void SetCookies(CookieOptions options)
+    {
+        options.Secure = true;
+        options.HttpOnly = true;
+    }
+}
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/RequireSSL.expected
--- a/Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/RequireSSL.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLFalseSystemWeb/Program.cs
+++ b/Features/CWE-614/RequireSSLFalseSystemWeb/Program.cs
@@ -0,0 +1,52 @@
+// semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll
+
+class Program
+{
+    void CookieDirectTrue()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName");
+        cookie.Secure = true;  // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
+    }
+
+    void CookieDirectFalse()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName");
+        cookie.Secure = false; // BAD
+    }
+
+    void CookieDirectFalseInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = false }; // BAD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName");
+        bool v = true;
+        cookie.Secure = v; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateFalse()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName");
+        bool v = false;
+        cookie.Secure = v; // BAD
+    }
+
+    void CookieIntermediateFalseInitializer()
+    {
+        bool v = false;
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // BAD
+    }
+}
--- a/Features/CWE-614/RequireSSLFalseSystemWeb/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLFalseSystemWeb/RequireSSL.expected
@@ -0,0 +1,4 @@
+| Program.cs:19:25:19:29 | false | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:24:73:24:77 | false | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:44:25:44:25 | access to local variable v | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:50:73:50:73 | access to local variable v | Cookie attribute 'Secure' is not set to true. |
--- a/Features/CWE-614/RequireSSLFalseSystemWeb/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLFalseSystemWeb/RequireSSL.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLFalseSystemWeb/Web.config
+++ b/Features/CWE-614/RequireSSLFalseSystemWeb/Web.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpCookies />
+  </system.web>
+</configuration>
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/Program.cs
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/Program.cs
@@ -0,0 +1,33 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll
+
+class Program
+{
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName"); // BAD: requireSSL is set to false by default
+    }
+
+    void CookieDirectTrue()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName");
+        cookie.Secure = true;  // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName");
+        bool v = true;
+        cookie.Secure = v; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
+    }
+}
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/RequireSSL.expected
@@ -0,0 +1 @@
+| Program.cs:7:22:7:60 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/RequireSSL.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/Web.config
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/Web.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpCookies />
+  </system.web>
+</configuration>
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/Program.cs
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/Program.cs
@@ -0,0 +1,33 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll
+
+class Program
+{
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName"); // BAD: requireSSL is set to false in config
+    }
+
+    void CookieDirectTrue()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName");
+        cookie.Secure = true;  // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName");
+        bool v = true;
+        cookie.Secure = v; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
+    }
+}
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/RequireSSL.expected
@@ -0,0 +1 @@
+| Program.cs:7:22:7:60 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/RequireSSL.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/Web.config
+++ b/Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/Web.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpCookies requireSSL="false" />
+  </system.web>
+</configuration>
--- a/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/Program.cs
+++ b/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/Program.cs
@@ -0,0 +1,33 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll
+
+class Program
+{
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName"); // GOOD: requireSSL is set to true in config
+    }
+
+    void CookieDirectTrue()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName");
+        cookie.Secure = true;  // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName");
+        bool v = true;
+        cookie.Secure = v; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
+    }
+}
--- a/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/RequireSSL.expected
--- a/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/RequireSSL.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/Web.config
+++ b/Features/CWE-614/RequireSSLSystemWeb/FormsTrue/Web.config
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <authentication>
+      <forms requireSSL=" True "/>
+    </authentication>
+    <httpCookies />
+  </system.web>
+</configuration>
--- a/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/Program.cs
+++ b/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/Program.cs
@@ -0,0 +1,33 @@
+// semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll
+
+class Program
+{
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName"); // GOOD: requireSSL is set to true in config
+    }
+
+    void CookieDirectTrue()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName");
+        cookie.Secure = true;  // GOOD
+    }
+
+    void CookieDirectTrueInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
+    }
+
+    void CookieIntermediateTrue()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName");
+        bool v = true;
+        cookie.Secure = v; // GOOD: should track local data flow
+    }
+
+    void CookieIntermediateTrueInitializer()
+    {
+        bool v = true;
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
+    }
+}
--- a/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/RequireSSL.expected
+++ b/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/RequireSSL.expected
--- a/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/RequireSSL.qlref
+++ b/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/RequireSSL.qlref
@@ -0,0 +1 @@
+experimental/Security Features/CWE-614/CookieWithoutSecure.ql
--- a/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/Web.config
+++ b/Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/Web.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpCookies requireSSL="true" />
+  </system.web>
+</configuration>
--- a/csharp/ql/test/resources/stubs/Microsoft.AspNetCore.Authentication.Cookies.cs
+++ b/csharp/ql/test/resources/stubs/Microsoft.AspNetCore.Authentication.Cookies.cs
@@ -0,0 +1,49 @@
+using Microsoft.AspNetCore.Http;
+using System;
+using System.Runtime.CompilerServices;
+using Microsoft.AspNetCore.Authentication;
+
+namespace Microsoft.AspNetCore.Authentication.Cookies
+{
+    public class CookieAuthenticationOptions : AuthenticationSchemeOptions
+    {
+        public CookieBuilder Cookie
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+
+        public bool CookieHttpOnly
+        {
+            get
+            {
+                return Cookie.HttpOnly;
+            }
+            set
+            {
+                Cookie.HttpOnly = value;
+            }
+        }
+
+        public CookieSecurePolicy CookieSecure
+        {
+            get
+            {
+                return Cookie.SecurePolicy;
+            }
+            set
+            {
+                Cookie.SecurePolicy = value;
+            }
+        }
+
+        public CookieAuthenticationOptions()
+        {
+        }
+    }
+}
--- a/csharp/ql/test/resources/stubs/Microsoft.AspNetCore.Authentication.cs
+++ b/csharp/ql/test/resources/stubs/Microsoft.AspNetCore.Authentication.cs
@@ -0,0 +1,10 @@
+namespace Microsoft.AspNetCore.Authentication
+{
+    public class AuthenticationBuilder
+    {
+    }
+
+    public class AuthenticationSchemeOptions
+    {
+    }
+}
--- a/csharp/ql/test/resources/stubs/Microsoft.AspNetCore.Builder.cs
+++ b/csharp/ql/test/resources/stubs/Microsoft.AspNetCore.Builder.cs
@@ -0,0 +1,85 @@
+using System;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.CookiePolicy;
+
+namespace Microsoft.AspNetCore.Builder
+{
+    public interface IApplicationBuilder
+    {
+        IApplicationBuilder Use(Func<RequestDelegate, RequestDelegate> middleware);
+    }
+
+    public class CookiePolicyOptions
+    {
+        public HttpOnlyPolicy HttpOnly
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+
+        public Action<AppendCookieContext> OnAppendCookie
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+
+        public Action<DeleteCookieContext> OnDeleteCookie
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+
+        public CookieSecurePolicy Secure
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+    }
+
+    public static class CookiePolicyAppBuilderExtensions
+    {
+        public static IApplicationBuilder UseCookiePolicy(this IApplicationBuilder app)
+        {
+            throw null;
+        }
+
+        public static IApplicationBuilder UseCookiePolicy(this IApplicationBuilder app, CookiePolicyOptions options)
+        {
+            throw null;
+        }
+    }
+
+    public class SessionOptions
+    {
+        public CookieBuilder Cookie
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+    }
+}
--- a/csharp/ql/test/resources/stubs/Microsoft.AspNetCore.CookiePolicy.cs
+++ b/csharp/ql/test/resources/stubs/Microsoft.AspNetCore.CookiePolicy.cs
@@ -0,0 +1,143 @@
+using Microsoft.AspNetCore.Http;
+
+namespace Microsoft.AspNetCore.CookiePolicy
+{
+    public enum HttpOnlyPolicy
+    {
+        None,
+        Always
+    }
+
+    public class AppendCookieContext
+    {
+        public HttpContext Context
+        {
+            get
+            {
+                throw null;
+            }
+        }
+
+        public string CookieName
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+
+        public CookieOptions CookieOptions
+        {
+            get
+            {
+                throw null;
+            }
+        }
+
+        public string CookieValue
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+
+        public bool HasConsent
+        {
+            get
+            {
+                throw null;
+            }
+        }
+
+        public bool IsConsentNeeded
+        {
+            get
+            {
+                throw null;
+            }
+        }
+
+        public bool IssueCookie
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+
+        public AppendCookieContext(HttpContext context, CookieOptions options, string name, string value)
+        {
+        }
+    }
+
+    public class DeleteCookieContext
+    {
+        public HttpContext Context
+        {
+            get
+            {
+                throw null;
+            }
+        }
+
+        public string CookieName
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+
+        public CookieOptions CookieOptions
+        {
+            get
+            {
+                throw null;
+            }
+        }
+
+        public bool HasConsent
+        {
+            get
+            {
+                throw null;
+            }
+        }
+
+        public bool IsConsentNeeded
+        {
+            get
+            {
+                throw null;
+            }
+        }
+
+        public bool IssueCookie
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+
+        public DeleteCookieContext(HttpContext context, CookieOptions options, string name)
+        {
+        }
+    }
+}
--- a/csharp/ql/test/resources/stubs/Microsoft.AspNetCore.Hosting.cs
+++ b/csharp/ql/test/resources/stubs/Microsoft.AspNetCore.Hosting.cs
@@ -0,0 +1,6 @@
+namespace Microsoft.AspNetCore.Hosting
+{
+    public interface IWebHostEnvironment
+    {
+    }
+}
--- a/csharp/ql/test/resources/stubs/Microsoft.AspNetCore.Http.cs
+++ b/csharp/ql/test/resources/stubs/Microsoft.AspNetCore.Http.cs
@@ -0,0 +1,87 @@
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNetCore.Http
+{
+    public interface IResponseCookies
+    {
+        void Append(string key, string value);
+
+        void Append(string key, string value, CookieOptions options);
+
+        void Delete(string key);
+
+        void Delete(string key, CookieOptions options);
+    }
+
+    public abstract class HttpResponse
+    {
+        public abstract IResponseCookies Cookies
+        {
+            get;
+        }
+    }
+    
+    public class CookieOptions
+    {
+        public bool HttpOnly
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+
+        public bool Secure
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+    }
+
+    public delegate Task RequestDelegate(HttpContext context);
+
+    public abstract class HttpContext
+    {
+    }
+
+    public enum CookieSecurePolicy
+    {
+        SameAsRequest,
+        Always,
+        None
+    }
+
+    public class CookieBuilder
+    {
+        public virtual bool HttpOnly
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+
+        public virtual CookieSecurePolicy SecurePolicy
+        {
+            get
+            {
+                throw null;
+            }
+            set
+            {
+            }
+        }
+
+    }
+}
--- a/csharp/ql/test/resources/stubs/Microsoft.AspNetCore.Mvc.cs
+++ b/csharp/ql/test/resources/stubs/Microsoft.AspNetCore.Mvc.cs
@@ -0,0 +1,15 @@
+using Microsoft.AspNetCore.Http;
+
+namespace Microsoft.AspNetCore.Mvc
+{
+    public abstract class Controller
+    {
+        public HttpResponse Response
+        {
+            get
+            {
+                throw null;
+            }
+        }
+    }
+}
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql`
				`@@ -0,0 +1 @@`
				`\| Program.cs:7:22:7:59 \| object creation of type HttpCookie \| Cookie attribute 'HttpOnly' is not set to true. \|`
				`@@ -0,0 +1 @@`
				`experimental/Security Features/CWE-614/CookieWithoutSecure.ql`
				`@@ -0,0 +1 @@`
				`\| Program.cs:7:22:7:60 \| object creation of type HttpCookie \| Cookie attribute 'Secure' is not set to true. \|`