Get a quote

Vulnerability Fixation
httpOnly Flag Missing

Book a Free Consultation

Session Cookie Without HttpOnly

According to the Microsoft Developer Network, HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).

If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

How to Set HttpOnly Cookie Flag

Java

  1. Programmatically:
    cookie.setHttpOnly(true);
  2. Set in web.xml:
    <session-config><cookie-config><http-only>true</http-only></cookie-config></session-config>
  3. Tomcat:
    Set useHttpOnly="true" in context.xml
  4. JBoss:
    Set httpOnly="true" under <SessionCookie>

.NET

  1. Enabled by default for session & authentication cookies
  2. Enable globally in web.config:
    <httpCookies httpOnlyCookies="true" />
  3. Programmatically:
    myCookie.HttpOnly = true;

PHP

  1. Enable in php.ini:
    session.cookie_httponly = True
  2. Enable in script:
    session_set_cookie_params(..., true);
  3. Application cookie:
    setcookie(..., true);

Also Read :

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More