Cookie – HttpOnly Flag
When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies.
If the HttpOnly flag (optional) is set, the cookie cannot be accessed through client-side script (again, if the browser supports this flag). As a result, even if a Cross-Site Scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.
It is possible to steal or manipulate sessions and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user.
How to set HttpOnly
Set HttpOnly in JAVA
Set HttpOnly in .NET
Set HttpOnly in PHP
Leave a ReplyWant to join the discussion?
Feel free to contribute!