Cookie session without 'HttpOnly' flag

By
Jijith Rajan
Published on
05 Jun 2018
3 min read
Vulnerability
Cookies Attributes

An HTTP cookie is a small piece of information that a server sends to the user’s web browser. The Cookie header stores the HTTP cookies previously sent by the web server with the Set-Cookie header.

The session cookies are deleted when the browser shuts down and if the cookies are permanent, they will expire at the time defined by Expires or Max-Age.

The risk of client-side scripts accessing the protected cookie can be mitigated by including an additional “HttpOnly” flag in the Set-Cookie HTTP response header.

As a result, the browser will not reveal the cookie to a third party even if a cross-site scripting (XSS) flaw exists in the web application.

During a cross-site scripting attack, an attacker might easily access cookies and using these he may hijack the victim’s session.

An attacker can grab the sensitive information contained in the cookie.

Set HTTPOnly on the cookie. This helps mitigate a large part of XSS attacks attempting to capture the cookies and possibly leaking sensitive information or allowing the attacker to impersonate the user.

The HTTP TRACE method combined with XSS can read the authentication cookie, even if the HttpOnly flag is used. So make sure that the HTTP TRACE method is disabled.

The example shows an HTTP response of a web server with a cookie being set using the Set-cookie HTTP response header:

    Set-Cookie: session=219ffwef9w0frtegazxw345; Path=/; Secure; HttpOnly

  

Using .NET to set HttpOnly

When setting a cookie manually, there is an easy CookieOptions object that you can use to set HttpOnly to true.

    HttpContext.Response.Cookies.Append(
    "CookieKey",
    "CookieValue",
    new CookieOptions
    {
      HttpOnly = true
    });

  

Using php to set HttpOnly flag

    setcookie ( string $name [, string $value = "" [, int $expires = 0 [, string $path = "" [, string $domain = "" [, bool $secure = FALSE [, bool $httponly = TRUE ]]]]]] ) : bool
  

Using Java to set HttpOnly flag

    Cookie c = new Cookie(COOKIENAME, sensitivedata);
    c.setHttpOnly(true);
  

Set HttpOnly flag in IIS

Edit the web.config file of your web application and add the following:

    <system.web>
      ...
      <httpCookies httpOnlyCookies="true" requireSSL="true" />
      ...
    </system.web>

  

Set HttpOnly flag in nginx

By using “nginx_cookie_flag_module” Module:

  • You need to build Nginx from the source code by adding the module.
    --add-module=/path/to/nginx_cookie_flag_module

  
  • Add the following line either in location or server directive in the respective configuration file.
    	set_cookie_flag HttpOnly secure;

  

By using proxy_cookie_path:

  • Add the below syntax in ssl.conf or default.conf and restart the server.
    proxy_cookie_path / "/; HTTPOnly; Secure";

  

Set HttpOnly flag in Apache

  • Ensure you have mod_headers.so enabled in Apache HTTP server.

  • Add the following entry in httpd.conf and restart the server.

    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

  
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.