Missing HttpOnly attribute detected in session cookie

Mobile 2023-07-29 23:22:07 views: null

For the security assessment report of NSFOCUS "Remote Security Assessment System", here is a record of the processing process.

Missing HttpOnly attribute detected in session cookie

A detailed description

The lack of the HttpOnly attribute in the session cookie will allow the attacker to obtain the user's cookie information through programs (JS scripts, Applets, etc.), resulting in leakage of user cookie information and increasing the attacker's threat of cross-site scripting attacks.

HttpOnly is an extension made by Microsoft to cookies. This value specifies whether cookies can be accessed by client-side scripts. Microsoft Internet Explorer version 6 Service Pack 1 and later supports the cookie attribute HttpOnly.

If the HttpOnly attribute is not set to true in the cookie, the cookie may be stolen. Stolen cookies can contain sensitive information that identifies site users, such as ASP.NET session IDs or Forms authentication tickets, and attackers can replay stolen cookies to masquerade as users or obtain sensitive information, conduct cross-site scripting attacks, and more.

If the HttpOnly attribute is set to true in the cookie, and the compatible browser receives the HttpOnly cookie, the client will not be able to read the cookie information through programs (JS scripts, Applets, etc.), which will help mitigate cross-site scripting threats.

Solution

Add the "HttpOnly" attribute to all session cookies.

Java example:

HttpServletResponse response2 = (HttpServletResponse)response;
response2.setHeader( "Set-Cookie", "name=value; HttpOnly");

C# example:

HttpCookie myCookie = new HttpCookie("myCookie");   
myCookie.HttpOnly = true;  
Response.AppendCookie(myCookie);

VB.NET example:

Dim myCookie As HttpCookie = new HttpCookie("myCookie")  
myCookie.HttpOnly = True  
Response.AppendCookie(myCookie)

PHP solution

The above is the information provided in the report. The project I actually maintain is PHP, so how to solve this problem in PHP.
Modify php.ini

session.cookie_httponly = 1

Just restart the service.

Check if there is still this bug

alert(document.cookie);

insert image description here
If the value can be obtained, it means that there is this BUG.

There is another way, as shown in the following figure:
insert image description here

reference

https://stackoverflow.com/questions/51205876/https-cookie-httponly-and-secure

Guess you like

Origin blog.csdn.net/lxyoucan/article/details/131724444
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com