/vulndb/Session Cookie not Flagged as HTTPOnly

The “HTTPOnly” flag applies to the Set-Cookie HTTP response header to indicate that the cookie cannot be accessed by client-side code such as JavaScript, Flash, and other client-side components.

If an attacker is able to inject javascript (trough an XSS for example) he can use the injected code to read the user’s cookies. This can lead to session hijacks and leakage of confidential information.


If the application doesn’t need to access the cookie by some client-side functionality, it is recommended to enforce the “HTTPOnly” flag. When the HTTPOnly flag is in place, the browser will not reveal the cookie in case of Cross-site Scripting attacks.