khadem1386 Posted September 1, 2011 Share Posted September 1, 2011 My site is based on ASP3I get some notice about security of my site.--summery: your site's Cookie Missing "HttpOnly" Attribute--description:Sensitive cookies set by the application ("ASPSESSIONID") are not marked with HttpOnly. Without this, XSS attacks could be used to steal session identifiers and hijack user sessions.SO An XSS vulnerability would need to exist in the application. A high skill level would be needed to exploit this vulnerability as an attacker.--solution:Include HttpOnly on sensitive cookies as a defense-in-depth measure against the threat of session hijacking.please help me to clearing.I am using some cookie on my login page.and I am using some session.As I know that session saved on client side too, Is my session a type of cookie? and this danger type is for session too?please Show me some code.like this Response.AddHeader "Set-Cookie", "mycookie=yo; HttpOnly" what must I do?for example my cookie name is Response.Cookies("A")("f")= email1 Thank you very much for your time Link to comment Share on other sites More sharing options...
justsomeguy Posted September 1, 2011 Share Posted September 1, 2011 A session cookie includes an ID that the server uses to look up the data for the session. http://www.google.com/search?client=opera&...channel=suggesthttp://www.google.com/search?client=opera&...channel=suggest Link to comment Share on other sites More sharing options...
khadem1386 Posted September 2, 2011 Author Share Posted September 2, 2011 I am searching and find this code1-What is differ between of these codes? Response.Cookies("mycookie").Path = Response.Cookies("mycookie").Path + "; HttpOnly" Response.AddHeader "Set-Cookie", "mycookie=yo; HttpOnly" 2-And when can I use them? ( what page).3- If I set my cookie to HttpOnly . what is it's results (I think and afraid about limitation after it)4- is it any differ between my sessions and my cookies.? (I think that this notice is for my cookies management) yes?thank you very very much for your time. Link to comment Share on other sites More sharing options...
justsomeguy Posted September 2, 2011 Share Posted September 2, 2011 Those two pieces of code result in the same thing happening. You can use them on any page you want. For browsers that support HttpOnly, it means that Javascript cannot access the cookies. ASP handles session cookies differently than regular cookies. .NET 2.0 will automatically set HttpOnly for session cookies. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.