khadem1386 2 Posted September 1, 2011 Report Share Posted September 1, 2011 (edited) My site is based on ASP3I get some notice about security of my site.--summery: your site's Cookie Missing "HttpOnly" Attribute--description:Sensitive cookies set by the application ("ASPSESSIONID") are not marked with HttpOnly. Without this, XSS attacks could be used to steal session identifiers and hijack user sessions.SO An XSS vulnerability would need to exist in the application. A high skill level would be needed to exploit this vulnerability as an attacker.--solution:Include HttpOnly on sensitive cookies as a defense-in-depth measure against the threat of session hijacking.please help me to clearing.I am using some cookie on my login page.and I am using some session.As I know that session saved on client side too, Is my session a type of cookie? and this danger type is for session too?please Show me some code.like this Response.AddHeader "Set-Cookie", "mycookie=yo; HttpOnly" what must I do?for example my cookie name is Response.Cookies("A")("f")= email1 Thank you very much for your time Edited September 2, 2011 by khadem1386 Quote Link to post Share on other sites
justsomeguy 1,135 Posted September 1, 2011 Report Share Posted September 1, 2011 A session cookie includes an ID that the server uses to look up the data for the session. http://www.google.com/search?client=opera&...channel=suggesthttp://www.google.com/search?client=opera&...channel=suggest Quote Link to post Share on other sites
khadem1386 2 Posted September 2, 2011 Author Report Share Posted September 2, 2011 I am searching and find this code1-What is differ between of these codes? Response.Cookies("mycookie").Path = Response.Cookies("mycookie").Path + "; HttpOnly" Response.AddHeader "Set-Cookie", "mycookie=yo; HttpOnly" 2-And when can I use them? ( what page).3- If I set my cookie to HttpOnly . what is it's results (I think and afraid about limitation after it)4- is it any differ between my sessions and my cookies.? (I think that this notice is for my cookies management) yes?thank you very very much for your time. Quote Link to post Share on other sites
justsomeguy 1,135 Posted September 2, 2011 Report Share Posted September 2, 2011 Those two pieces of code result in the same thing happening. You can use them on any page you want. For browsers that support HttpOnly, it means that Javascript cannot access the cookies. ASP handles session cookies differently than regular cookies. .NET 2.0 will automatically set HttpOnly for session cookies. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.