Add the 'HttpOnly' attribute to all session cookies

Question

I got this following error when my website was being audited. I have developed my website using jsp, servlets, java classes.

Missing HttpOnly Attribute in Session Cookie

Security Risks

It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user

Causes:

The web application sets session cookies without the HttpOnly attribute

Remediation Tasks:

Add the 'HttpOnly' attribute to all session cookies

I am passing java security token as hidden parameter while clicking on submit button. How can i add this HttpOnly attribute in that token?

Answer 1

The HttpOnly attribute is set on Cookies, and these are (usually) passed from the server to the client, not from the client to the server. HttpOnly is not an attribute you can set on a form or form parameter. Here the client is the browser and the server is the Java EE server running your Java application.

Cookies are usually created by a server, passed to the browser and then passed back. Now it is possible to create and manipulate Cookies using JavaScript which can be helpful but can also be a security hole. So an HttpOnly Cookie is only accessible by the server, or in other words it is not accessible from client side JavaScript which protects your site from some forms of XSS attacks. So the Browser will store and return an HttpOnly Cookie but it will not alter it or allow you to create it on the client; an HttpOnly Cookie must be created on the server.

If you're using JSP it's likely your server is automatically creating a Cookie to manage sessions for you; this is the cookie on which you need to set the HttpOnly attribute. The method to set HttpOnly on your SESSIONID Cooke will be container specific.