Web Server HttpOnly Cookies Not In Use

Medium Nessus Network Monitor Plugin ID 5799

Synopsis

The remote server does not adequately protect data stored with cookies

Description

Based on the HTTP 'Cookie' header, PVS has determined that the remote server is not using the 'HttpOnly' cookie setting. By not using this setting, client side script can access the cookie. This can allow attackers to access cookies with potentially confidential data.

Solution

Configure your web server or application to use the 'HttpOnly' tag.

See Also

http://www.owasp.org/index.php/HttpOnly

http://msdn.microsoft.com/en-us/library/ms533046(v=vs.85).aspx

Plugin Details

Severity: Medium

ID: 5799

File Name: 5799.prm

Family: Web Servers

Published: 2011/02/23

Modified: 2016/11/23

Dependencies: 1442

Risk Information

Risk Factor: Medium