Session Cookie HTTPOnly Flag – Java, .NET Rails 3 and Coldfusion

Cookies are used to store a variety of shared state information between your browser and a web server. The most common use for cookies is to maintain your session state, since HTTP in itself is a stateless protocol.

A cross site scripting attack against a web application user will often steal this session cookie. Assuming there are no other defensive measures in place, the attacker can then replay the session cookie to become you as far as the web server is concerned and have access to any of your account information.

Enter HTTPOnly

A cookie stealing attack is easy to prevent and most applications should not be affected by the mitigation. A web application can add a flag called “HTTPOnly” to the cookie. When your browser processes the cookie, it will see the flag and know that client side scripts are now prevented from interacting with the cookie at all. So even if a cross site scripting vulnerability exists in the web application, an attacker would not be able to leverage it to retrieve a session cookie.

Negatives

The only time you would not want to use HTTPOnly in your web application would be if your client side scripts are specifically designed to interact with a user’s session by reading or writing to a cookie. In that case, I would recommend redesigning the application to not require scripts have access to the cookie. Alternatively, you could rigorously validate that no cross site scripting vulnerabilities exist in your application. If no XSS flaws exist, then there is no need to worry about a cookie being retrieved via javascript. However, I recommend the former method, as the latter can be much harder to achieve, especially in the case of an application under constant development that is not constantly tested for new security flaws.

How

All application servers make it easy to extremely easy to add this cookie flag.

Java

In your web.xml, add:

<session-config>
  <cookie-config>
    <http-only>true</http-only>
  </cookie-config>
</session-config>

Note that this directive was added in Tomcat 6.0.19 and previous versions have no method for mitigating this vulnerability.

.NET

In web.config under system.web add:

<httpCookies httpOnlyCookies="true">

Rails 3

In your config/initializers/session_store.rb file, add:

AppClass::Application.config.session_store :cookie_store, {
        :httponly => true
}

Replace “AppClass” with the name if your application’s class.

Coldfusion

Depending on your version of Coldfusion, the method to enable HTTPOnly is different. I’ll refer you to this excellent write up: http://www.petefreitag.com/item/764.cfm

References and Further Reading

WhiteHat Security: Session Cookie HttpOnly Flag Java
OWASP: HTTPOnly
Pete Freitag: Setting up HTTPOnly Session Cookies for ColdFusion

Leave a Reply

Your email address will not be published.