| VID |
210184 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.
* References:
https://www.owasp.org/index.php/HttpOnly
* Platforms Affected:
Any operating system Any version |
| Recommendation |
*Java
Servlet 3.0 (Java EE 6) introduced a standard way to configure secure attribute for the session cookie, this can be done by applying the following configuration in web.xml
[web.xml]
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
*Tomcat
Tomcat 6 In context.xml set the context tag's attribute useHttpOnly as follow:
<?xml version="1.0" encoding="UTF-8"?>
<Context path="/myWebApplicationPath" useHttpOnly="true">
*PHP
For session cookies managed by PHP, the flag is set either permanently in php.ini PHP manual on HttpOnly through the parameter:
session.cookie_httponly = True |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
