Description
The absence of the HttpOnly flag in session cookies allows client-side JavaScript to access them, which poses a security risk. Without the HttpOnly flag, session cookies are vulnerable to theft via Cross-Site Scripting (XSS) attacks, enabling attackers to hijack user sessions.
Test for Session Cookie Vulnerabilities with SmartScanner
Donwload FREE!Recommendation
To mitigate the risk of session hijacking via XSS attacks, ensure all session cookies are set with the HttpOnly flag. This prevents client-side scripts from accessing them, enhancing the security of session management.
References
- OWASP: HttpOnly
- OWASP: Session Management Cheat Sheet
- MDN Web Docs: HttpOnly cookie
- CWE-1004
- CWE-16
- OWASP 2021-A5
Related Issues
- Cookie without HttpOnly Flag - Vulnerability
- Session Cookie without SameSite Flag - Vulnerability
- Session Cookie without Secure Flag - Vulnerability
- Cookie without SameSite Flag - Vulnerability
- Tags:
- HTTP Headers
- Cookie
- Cross Site Scripting (XSS)
- Application Misconfiguration
Anything's wrong? Let us know Last updated on May 13, 2024