Session Cookie without HttpOnly Flag

Impact: Medium

Description

The HttpOnly cookie flag prevents JavaScript Document.cookie API from accessing the cookie. When this flag is set, the cookie is only sent to the server. In many cases, cookies are not needed on the client-side. Session cookies are a good example of cookies that don’t need to be available to JavaScript. Using the HttpOnly flag can help to mitigate Cross-Site-Scripting(XSS) attacks.

Recommendation

Set HttpOnly flag for the cookie.

References

OWASP: HttpOnly
OWASP: Session Management Cheat Sheet
CWE-1004
OWASP 2010-A6
OWASP 2021-A5

👉 You might also like:

Cookie without HttpOnly Flag - Vulnerability

Session Cookie without Secure Flag - Vulnerability

Cookie without Secure Flag - Vulnerability

Session Cookie without SameSite Flag - Vulnerability

Last updated on February 15, 2021

Session Cookie without HttpOnly Flag

Description

Recommendation

References

Use SmartScanner Free version to test for this issue