Diwakar's Blog

http://diwakarko.blogspot.com (दिवाकरको ब्लग)

Protecting Your Cookies: HttpOnly

dsofcom 7:33 PM No comments

What is HttpOnly?

According to the Microsoft Developer Network, HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
  • The example below shows the syntax used within the HTTP response header: 
Set-Cookie: =[; =]
[; expires=][; domain=]
[; path=][; secure][; HttpOnly]
 
If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.
If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script.

Using PHP to set HttpOnly

PHP supports setting the HttpOnly flag since version 5.2.0 (November 2006).
For session cookies managed by PHP, the flag is set either permanently in php.ini PHP manual on HttpOnly through the parameter: 
session.cookie_httponly = True
or in and during a script via the function 
void session_set_cookie_params  ( int $lifetime  [, string $path  [, string $domain  
                                  [, bool $secure= false  [, bool $httponly= false  ]]]] )
For application cookies last parameter in setcookie() sets HttpOnly flag 
bool setcookie  ( string $name  [, string $value  [, int $expire= 0  [, string $path  
                 [, string $domain  [, bool $secure= false  [, bool $httponly= false  ]]]]]] )



Web Server

Implement in Apache:

1.     Ensure you have mod_headers.so enabled in Apache instance
2.     Add following entry in httpd.conf
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
3.     Restart Apache Web Server
Note: Header edit is not compatible with lower than Apache 2.2.4 version. You can use following to set HttpOnly and Secure flag in lower than 2.2.4 version. Thanks to Ytse for sharing this information.
Header set Set-Cookie HttpOnly;Secure

Verification:

Open your website with HTTP Watch, Live HTTP Header or HTTP Header Online tool.
Check HTTP response header, you should see as highlighted
Cookie Httponly Secure
Secure your web application today!
Read - Apache Web Server Security & Hardening Guide - Practical Guide



No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )

Recent Posts

Featured

Contact Form

Name

Email *

Message *