LGTM.com - false positive #3636
Description
ESAPI optionally sets 'secure' flag if it was previously set for that cookie of if the ESAPI configuration setting is set to force the 'secure' flag.
File - DefaultHTTPUtilities.java - lines 202 and 203
Line 202 of this file sets the secure flag if the 'secure' flag for that cookie was previously set or if the developer using ESAPI has the property "HttpUtilities.ForceSecureCookies" set to "true" in their ESAPI.properties file. Because ESAPI is an SDK, that is a security library, we cannot force developers to use the 'secure' flag without potentially breaking code. (However, the default setting for 'HttpUtiliteis.ForceSecureCookies" is set to 'true' in the default ESAPI.properties configuration file.)