Securing Cookies with HttpOnly and secure Flags

[emAmazed]

Without having HttpOnly and Secure flag in HTTP response header, it is possible to steal or manipulate web application session and cookies.

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. Using HttpOnly and Secure flag with client side cookie can mitigate most common XSS attack. This will ensure the site will only run with SSL.

How to set up:

• Make sure you have mod_headers.so enabled in your apache setting; - /usr/sbin/httpd -l
• Locate the mod_headers.so
  • /etc/http/conf.modules.d
  • /etc/apache2/httpd.conf`
  • Add line: LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
  • Module location: /usr/lib/apache2/modules or /etc/httpd/modules

• Add this line to your httpd.conf Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure or Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"

  Pre-2.2.4 Apache Version using Header set Set-Cookie HttpOnly;Secure

• Restart service

[Godusobb]

Hi, I did Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure
in my httpd.conf, but when i did restart the services, whenever i click in my site , a new session is created and the previous is destroyed , ( so the problem is that the server keep destroying the previous session after every click)

any clue what is the problem here ?? thanks

[emAmazed]

Hi @Godusobb just saw this. What did you list under "ServerName"? Try to switch it to your machine name if you are working on an intranet, or it was listed with an IP. The cause of it most likely was the cookie was not enabled in the browser, and every time you clicked the site it was considered as a new session.

[Godusobb]

Hi , I found out that i work with tomcat 6.016 and the HttpOnly was added in tomcat 6.019, May that be the problem ?