For the security assessment report of NSFOCUS "Remote Security Assessment System", here is a record of the processing process.
Missing HttpOnly attribute detected in session cookie
A detailed description
The lack of the HttpOnly attribute in the session cookie will allow the attacker to obtain the user's cookie information through programs (JS scripts, Applets, etc.), resulting in leakage of user cookie information and increasing the attacker's threat of cross-site scripting attacks.
HttpOnly is an extension made by Microsoft to cookies. This value specifies whether cookies can be accessed by client-side scripts. Microsoft Internet Explorer version 6 Service Pack 1 and later supports the cookie attribute HttpOnly.
If the HttpOnly attribute is not set to true in the cookie, the cookie may be stolen. Stolen cookies can contain sensitive information that identifies site users, such as ASP.NET session IDs or Forms authentication tickets, and attackers can replay stolen cookies to masquerade as users or obtain sensitive information, conduct cross-site scripting attacks, and more.
If the HttpOnly attribute is set to true in the cookie, and the compatible browser receives the HttpOnly cookie, the client will not be able to read the cookie information through programs (JS scripts, Applets, etc.), which will help mitigate cross-site scripting threats.
Solution
Add the "HttpOnly" attribute to all session cookies.
Java example:
HttpServletResponse response2 = (HttpServletResponse)response;
response2.setHeader( "Set-Cookie", "name=value; HttpOnly");
C# example:
HttpCookie myCookie = new HttpCookie("myCookie");
myCookie.HttpOnly = true;
Response.AppendCookie(myCookie);
VB.NET example:
Dim myCookie As HttpCookie = new HttpCookie("myCookie")
myCookie.HttpOnly = True
Response.AppendCookie(myCookie)
PHP solution
The above is the information provided in the report. The project I actually maintain is PHP, so how to solve this problem in PHP.
Modify php.ini
session.cookie_httponly = 1
Just restart the service.
Check if there is still this bug
alert(document.cookie);
If the value can be obtained, it means that there is this BUG.
There is another way, as shown in the following figure:
reference
https://stackoverflow.com/questions/51205876/https-cookie-httponly-and-secure