An HTTP cookie is a small piece of information that a server sends to the user’s web browser. The Cookie header stores the HTTP cookies previously sent by the web server with the Set-Cookie header.
The session cookies are deleted when the browser shuts down and if the cookies are permanent, they will expire at the time defined by Expires or Max-Age.
The risk of client-side scripts accessing the protected cookie can be mitigated by including an additional “HttpOnly” flag in the Set-Cookie HTTP response header.
As a result, the browser will not reveal the cookie to a third party even if a cross-site scripting (XSS) flaw exists in the web application.
During a cross-site scripting attack, an attacker might easily access cookies and using these he may hijack the victim’s session.
An attacker can grab the sensitive information contained in the cookie.
Set HTTPOnly on the cookie. This helps mitigate a large part of XSS attacks attempting to capture the cookies and possibly leaking sensitive information or allowing the attacker to impersonate the user.
The HTTP TRACE method combined with XSS can read the authentication cookie, even if the HttpOnly flag is used. So make sure that the HTTP TRACE method is disabled.
The example shows an HTTP response of a web server with a cookie being set using the Set-cookie HTTP response header:
When setting a cookie manually, there is an easy CookieOptions object that you can use to set HttpOnly to true.
Edit the web.config file of your web application and add the following:
By using “nginx_cookie_flag_module” Module:
By using proxy_cookie_path:
Ensure you have mod_headers.so enabled in Apache HTTP server.
Add the following entry in httpd.conf and restart the server.