Cookie – HttpOnly Flag
Description
When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies.
If the HttpOnly flag (optional) is set, the cookie cannot be accessed through client-side script (again, if the browser supports this flag). As a result, even if a Cross-Site Scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.
Risk
It is possible to steal or manipulate sessions and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user.
How to set HttpOnly
Set HttpOnly in JAVA
Set HttpOnly in .NET
Set HttpOnly in PHP
Leave a Reply
Want to join the discussion?Feel free to contribute!