Jump to content

httponly


Recommended Posts

My site is based on ASP3I get some notice about security of my site.--summery: your site's Cookie Missing "HttpOnly" Attribute--description:Sensitive cookies set by the application ("ASPSESSIONID") are not marked with HttpOnly. Without this, XSS attacks could be used to steal session identifiers and hijack user sessions.SO An XSS vulnerability would need to exist in the application. A high skill level would be needed to exploit this vulnerability as an attacker.--solution:Include HttpOnly on sensitive cookies as a defense-in-depth measure against the threat of session hijacking.please help me to clearing.I am using some cookie on my login page.and I am using some session.As I know that session saved on client side too, Is my session a type of cookie? and this danger type is for session too?please Show me some code.like this

Response.AddHeader "Set-Cookie", "mycookie=yo; HttpOnly"

what must I do?for example my cookie name is

 Response.Cookies("A")("f")= email1

Thank you very much for your time

Edited by khadem1386
Link to post
Share on other sites

I am searching and find this code1-What is differ between of these codes?

Response.Cookies("mycookie").Path = Response.Cookies("mycookie").Path + "; HttpOnly"

Response.AddHeader "Set-Cookie", "mycookie=yo; HttpOnly"

2-And when can I use them? ( what page).3- If I set my cookie to HttpOnly . what is it's results (I think and afraid about limitation after it)4- is it any differ between my sessions and my cookies.? (I think that this notice is for my cookies management) yes?thank you very very much for your time.

Link to post
Share on other sites

Those two pieces of code result in the same thing happening. You can use them on any page you want. For browsers that support HttpOnly, it means that Javascript cannot access the cookies. ASP handles session cookies differently than regular cookies. .NET 2.0 will automatically set HttpOnly for session cookies.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...