Session Cookie without HttpOnly Flag

Description

The absence of the HttpOnly flag in session cookies allows client-side JavaScript to access them, which poses a security risk. Without the HttpOnly flag, session cookies are vulnerable to theft via Cross-Site Scripting (XSS) attacks, enabling attackers to hijack user sessions.

Recommendation

To mitigate the risk of session hijacking via XSS attacks, ensure all session cookies are set with the HttpOnly flag. This prevents client-side scripts from accessing them, enhancing the security of session management.

References

• OWASP: HttpOnly
• OWASP: Session Management Cheat Sheet
• MDN Web Docs: HttpOnly cookie
• CWE-1004
• CWE-16
• OWASP 2021-A5

Related Issues

• Cookie without HttpOnly Flag - Vulnerability
• Session Cookie without SameSite Flag - Vulnerability
• Session Cookie without Secure Flag - Vulnerability
• Cookie without SameSite Flag - Vulnerability

Tags:

HTTP Headers

Cookie

Cross Site Scripting (XSS)

Application Misconfiguration