WebSecurity: Cookie without HttpOnly Flag set

In any web application, Cookies play a very significant behavior of the application. Whether user experiences, personalization, analytics or session management, Cookies are part of every web module. The importance of cookies in a web application is so critical that privacy regulation put clause about cookies & web apps. And, Every web application must alert to the user.

Importance of HttpOnly Flag in Cookie

If the HttpOnly attribute is set on a cookie, then the cookie’s value cannot be read or set by client-side Javascript. This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie’s value via an injected script.

Should Every cookie have HttpOnly Flag set?

There is usually no good reason not to set HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie’s value.

So, Setting of HttpOnly flag is always conditional & you should evaluate when to set.

How to set HttpFlag in cookie?

#J2EE Servlet API
Cookie cookie = request.getCookie("myCookieName");
cookie.setHttpOnly(true);

#Java Enterprise application WEB-INF/web.xml
<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
</session-config>

#Tomcat 6 In context.xml
<?xml version="1.0" encoding="UTF-8"?>
<Context path="/exampleApp" useHttpOnly="true">
Advertisements


Categories: web application security, web security

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.