Cookie session without 'HttpOnly' flag

An HTTP cookie is a small piece of information that a server sends to the user’s web browser. The Cookie header stores the HTTP cookies previously sent by the web server with the Set-Cookie header.

The session cookies are deleted when the browser shuts down and if the cookies are permanent, they will expire at the time defined by Expires or Max-Age.

The risk of client-side scripts accessing the protected cookie can be mitigated by including an additional “HttpOnly” flag in the Set-Cookie HTTP response header.

As a result, the browser will not reveal the cookie to a third party even if a cross-site scripting (XSS) flaw exists in the web application.

During a cross-site scripting attack, an attacker might easily access cookies and using these he may hijack the victim’s session.

An attacker can grab the sensitive information contained in the cookie.

Set HTTPOnly on the cookie. This helps mitigate a large part of XSS attacks attempting to capture the cookies and possibly leaking sensitive information or allowing the attacker to impersonate the user.

The HTTP TRACE method combined with XSS can read the authentication cookie, even if the HttpOnly flag is used. So make sure that the HTTP TRACE method is disabled.

The example shows an HTTP response of a web server with a cookie being set using the Set-cookie HTTP response header:

    Set-Cookie: session=219ffwef9w0frtegazxw345; Path=/; Secure; HttpOnly

  

Using .NET to set HttpOnly

When setting a cookie manually, there is an easy CookieOptions object that you can use to set HttpOnly to true.

    HttpContext.Response.Cookies.Append(
    "CookieKey",
    "CookieValue",
    new CookieOptions
    {
      HttpOnly = true
    });

  

Using php to set HttpOnly flag

    setcookie ( string $name [, string $value = "" [, int $expires = 0 [, string $path = "" [, string $domain = "" [, bool $secure = FALSE [, bool $httponly = TRUE ]]]]]] ) : bool
  

Using Java to set HttpOnly flag

    Cookie c = new Cookie(COOKIENAME, sensitivedata);
    c.setHttpOnly(true);
  

Set HttpOnly flag in IIS

Edit the web.config file of your web application and add the following:

    <system.web>
      ...
      <httpCookies httpOnlyCookies="true" requireSSL="true" />
      ...
    </system.web>

  

Set HttpOnly flag in nginx

By using “nginx_cookie_flag_module” Module:

  • You need to build Nginx from the source code by adding the module.
    --add-module=/path/to/nginx_cookie_flag_module

  
  • Add the following line either in location or server directive in the respective configuration file.
    	set_cookie_flag HttpOnly secure;

  

By using proxy_cookie_path:

  • Add the below syntax in ssl.conf or default.conf and restart the server.
    proxy_cookie_path / "/; HTTPOnly; Secure";

  

Set HttpOnly flag in Apache

  • Ensure you have mod_headers.so enabled in Apache HTTP server.

  • Add the following entry in httpd.conf and restart the server.

    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

  

Related Articles