Skip to main content

The cookie is missing security flag HttpOnly

Back to rules list


It is recommended to specify the HttpOnly flag to new cookie.

Risk

Cookies that doesn't have the flag set are available to JavaScript running on the same domain. When a user is the target of a "Cross-Site Scripting", the attacker would benefit greatly from getting the session id.

Vulnerable Code

var cookie = new HttpCookie("test");

Solution

Web.Config 
<httpCookies httpOnlyCookies="true" [..] />

var cookie = new HttpCookie("test");
cookie.Secure = true;
cookie.HttpOnly = true; //Add this flag

References

Coding Horror blog: Protecting Your Cookies: HttpOnly
OWASP: HttpOnly
Rapid7: Missing HttpOnly Flag From Cookie