Session Cookie Found Without httponly Set

According to the Microsoft Developer Network, HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).

If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

Using Java to Set HttpOnly

Cookie cookie = getMyCookie("myCookieName");

Moreover since JEE 6 it's also declaratively easy setting HttpOnly flag in session cookie, by applying the following configuration in the deployment descriptor WEB-INF/web.xml:

<session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config>

  • Tomcat 6 In context.xml set the context tag's attribute useHttpOnly [7] as follow:
  • <?xml version="1.0" encoding="UTF-8"?> <Context path="/myWebApplicationPath" useHttpOnly="true">
  • JBoss 5.0.1 and JBOSS EAP 5.0.1 In \server\<myJBossServerInstance>\deploy\jbossweb.sar\context.xml set the SessionCookie tag [8] as follow:
  • <Context cookies="true" crossContext="true">
    <SessionCookie secure="true" httpOnly="true" />

Using .NET to Set HttpOnly

  • By default, .NET 2.0 sets the HttpOnly attribute for
    1. Session ID
    2. Forms Authentication cookie

    In .NET 2.0, HttpOnly can also be set via the HttpCookie object for all custom application cookies
  • Via web.config in the system.web/httpCookies element
  • <httpCookies httpOnlyCookies="true" ?>

    Or programmatically

    C# Code:
    HttpCookie myCookie = new HttpCookie("myCookie");
    myCookie.HttpOnly = true;

    VB.NET Code:
    Dim myCookie As HttpCookie = new HttpCookie("myCookie")
    myCookie.HttpOnly = True

  • However, in .NET 1.1, you would have to do this manually, e.g., Response.Cookies[cookie].Path += ";HttpOnly";

Using PHP to set HttpOnly

For session cookies managed by PHP, the flag is set either permanently in php.iniPHP manual on HttpOnly through the parameter:
session.cookie_httponly = True

or in and during a script via the function:
void session_set_cookie_params ( int $lifetime [, string $path [, string $domain[, bool $secure= false [, bool $httponly= false ]]]] )

For application cookies last parameter in setcookie() sets HttpOnly flag:
bool setcookie ( string $name [, string $value [, int $expire= 0 [, string $path[, string $domain [, bool $secure= false [, bool $httponly= false ]]]]]] )