Session Cookie without HttpOnly Flag

Description

The absence of the HttpOnly flag in session cookies allows client-side JavaScript to access them, which poses a security risk. Without the HttpOnly flag, session cookies are vulnerable to theft via Cross-Site Scripting (XSS) attacks, enabling attackers to hijack user sessions.

Recommendation

To mitigate the risk of session hijacking via XSS attacks, ensure all session cookies are set with the HttpOnly flag. This prevents client-side scripts from accessing them, enhancing the security of session management.

References

• CWE-1004
• CWE-16
• MDN Web Docs: HttpOnly cookie
• OWASP 2021-A5
• OWASP: HttpOnly
• OWASP: Session Management Cheat Sheet