Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

REQ.029 Cookies with security attributes

This documents contains the details of the security requirements related to web application session management and session variables. This requirement establishes the importance of using cookies with the required security attributes such as HttpOnly and Secure.


The session cookies of web applications must have security attributes (HttpOnly, Secure).


When you have web applications that handle sessions, you can use different attributes to improve the security related to the cookies that handle these sessions. The attributes HttpOnly and Secure prevent the theft of the session cookie by denying the browser visibility and access to it (even when Cross Site Scripting [XSS] attacks are used) and allow the cookie to be sent only when the request is encrypted (using HTTPS), in this manner, session theft is greatly mitigated and therefore increases the integrity of the application.


  1. Implement the HttpOnly attribute: If the HttpOnly attribute is present in the HTTP response header, the cookie can not be accessed using client side scripts. As a result and even if there exist a cross-site scripting (XSS) vulnerability and a user accidentally accesses the link that exploits this vulnerability, the browser will not reveal the cookie to a third party.

    If a browser does not support HttpOnly and the website tries to set the HttpOnly attribute, said attribute will be ignored by the browser thus creating a traditional cookie accessible by scripts. As a result, the cookie (usually a session cookie) becomes vulnerable to theft or modification by a malicious script.

  2. Implement the Secure attribute: The secure attribute is an option that can be applied from the application server when a new cookie is sent to the user in a HTTP response. The purpose of the secure attribute is to prevent cookies from being viewed by unauthorized third parties due to the plain text transmission of the cookie.


  1. Exceptions for the HttpOnly attribute: Web applications that use JavaScript for the majority of their operations may use an anti-Cross-Site-Request-Forgery(CSRF) technique that relies on same-origin policy. This technique consist of setting a cookie containing a random token. Client side JavaScript reads its value and copies it into a custom HTTP CSRF header sent with each request. The security of this technique is based on the assumption that only JavaScript running within the same origin will be able to access the cookie. JavaScript running from a rogue file or email will not be able to read it and copy into the custom header. Even though the CSRF cookie will be automatically sent with the rogue request, the server will be still expecting a valid CSRF header. In this implementation, the CSRF cookie must not have HttpOnly attribute, as it is intended to be read by the JavaScript by design. However, the protection provided by this technique can be thwarted if the target website disables its same-origin policy using one of the following techniques [8]:

    • Access-Control-Allow-Origin header set to *.

    • clientaccesspolicy.xml file granting unintended access to Silverlight controls.

    • crossdomain.xml file granting unintended access to Flash.


  1. An attacker generates a script that is executed by a valid authenticated user without their knowledge, without the HTTPOnly and Secure attributes the script sends information to the attacker[1],[2] containing the session cookie used for session theft.

  2. An attacker captures HTTP traffic using a Man in The Middle (MiTM) attack intercepting request and responses in plain text and extracting the session cookie used for session theft.


  1. Layer: Application layer.

  2. Asset: Session management.

  3. Scope: Confidentiality.

  4. Phase: Construction.

  5. Type of Control: Procedure.

Service status - Terms of Use