False positive - Websites must specify the HttpOnly attribute on sensitive cookies

[markwallace-microsoft]

Description of the false positive

We got 5000 "Websites must specify the HttpOnly attribute on sensitive cookies" errors reported in our repo against C# code.

Here is an example:

dotnet/samples/Concepts/Agents/ChatCompletion_FunctionTermination.dotnet/samplescs:135

        // Local function to invoke agent and display the conversation messages.
        async Task InvokeAgentAsync(string input)
        {
            ChatMessageContent message = new(AuthorRole.User, input);
HttpOnly attribute is missing or not set to true on the Http Cookie
CodeQL
            chat.Add(message);
            this.WriteAgentChatMessage(message);

https://github.com/microsoft/semantic-kernel/security/code-scanning/195

[LittleLittleCloud]

We also got 3000+ "Websites must specify the HttpOnly attribute on sensitive cookies" errors reported in our repo against C# code since this commit: bcd6e71e7f762c94d6e2c5a48d4e9856aa46da59

• https://github.com/microsoft/autogen/security/code-scanning/5423