Learn how to prevent HttpOnly cookie vulnerabilities with real code examples and best practices. Protect your web applications from session hijacking and XSS attacks.
The HttpOnly flag is a security feature that helps prevent client-side access to cookie data through JavaScript. When a cookie is set with the HttpOnly flag, it becomes inaccessible to client-side scripting languages like JavaScript, helping protect against Cross-Site Scripting (XSS) attacks.
Without the HttpOnly flag, cookies are vulnerable to:
Theft through XSS attacks
Session hijacking
Unauthorized access to sensitive cookie data
Client-side manipulation of cookie values
This guide covers HttpOnly cookie vulnerabilities, examples, prevention methods, and how to properly secure cookies in your applications.
One Simple HttpOnly Cookie Vulnerability Example
Consider this basic example of setting a cookie:
Cookie cookie = new Cookie("sessionId", sessionValue);
response.addCookie(cookie);
An attacker exploiting an XSS vulnerability could steal this cookie using JavaScript:
The cookie data would be accessible because the HttpOnly flag is not set, allowing the attacker to hijack the user's session.
HttpOnly Cookie Prevention Methods: How to Fix Your Code
The most effective way to fix HttpOnly cookie vulnerabilities is to explicitly set the HttpOnly flag when creating cookies. This ensures that the cookie cannot be accessed through client-side scripts, providing an additional layer of security against XSS attacks.
Code Samples
Vulnerable Code
Cookie cookie = new Cookie("sessionId", sessionValue);
Fixed Code
Cookie cookie = new Cookie("sessionId", sessionValue);
cookie.setHttpOnly(true);
response.addCookie(cookie);
Fix Explanation
The vulnerable code creates a cookie without the HttpOnly flag.The fix explicitly sets the HttpOnly flag using setHttpOnly(true).This prevents JavaScript access to the cookie.The cookie becomes more resistant to XSS attacks.
The vulnerable code sets a cookie without the HttpOnly flag.The fix adds the httpOnly option to the cookie configuration.This prevents client-side JavaScript from accessing the cookie.The cookie becomes more secure against XSS attacks.
The vulnerable code creates a cookie without the HttpOnly flag.The fix adds the httponly parameter set to True.This prevents JavaScript from accessing the cookie.The cookie becomes protected against client-side script access.
Vulnerable Code
HttpCookie cookie = new HttpCookie("sessionId", sessionValue);
Response.Cookies.Add(cookie);
Fixed Code
HttpCookie cookie = new HttpCookie("sessionId", sessionValue);
cookie.HttpOnly = true;
Response.Cookies.Add(cookie);
Fix Explanation
The vulnerable code creates a cookie without the HttpOnly property.The fix sets the HttpOnly property to true.This prevents client-side access to the cookie.The cookie becomes more secure against XSS attacks.
The vulnerable code sets a cookie without the HttpOnly flag.The fix adds true as the last parameter to enable HttpOnly.This prevents JavaScript access to the cookie.The cookie becomes protected against client-side access.
The vulnerable code creates a cookie without the HttpOnly flag.The fix adds the httponly: true option to the cookie.This prevents JavaScript from accessing the cookie.The cookie becomes more secure against XSS attacks.
Need more help in preventing HttpOnly Cookie vulnerabilities?
Mobb supports fixing many forms of HttpOnly Cookie vulnerabilities, and can mitigate your issues in batch.
