Session Cookie without HttpOnly Flag

Impact: Medium


The absence of the HttpOnly flag in session cookies allows client-side JavaScript to access them, which poses a security risk. Without the HttpOnly flag, session cookies are vulnerable to theft via Cross-Site Scripting (XSS) attacks, enabling attackers to hijack user sessions.


To mitigate the risk of session hijacking via XSS attacks, ensure all session cookies are set with the HttpOnly flag. This prevents client-side scripts from accessing them, enhancing the security of session management.


Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue