Cookies set without httponly flag

[GoogleCodeExporter]

Depending on how your webserver is set up some scanners may report that all 
pages have a low level vulnerability as the session cookie isnt set with 
httponly.
The following bit of code in each jsp would fix this:

<%
    // Standard bit of code to ensure any session ID is protected using HTTPOnly
    String sessionid = request.getSession().getId();
    if (sessionid != null && sessionid.length() > 0) {
        response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
    }
%>

Ripped off from ZAP WAVE, but thats ok as I'm the author ;)

Original issue reported on code.google.com by psii...@gmail.com on 5 Oct 2011 at 12:38

[GoogleCodeExporter]

The only problem is that I will have to fix other exposures in other pages... 
for example XSS in SQLi vulnerable pages (and the other way around).

The original plan was that while scanning each directory, the auditor will only 
count the vulnerabilities related to the directory evaluated exposure, and 
ignore all the rest.

Have to think about it... but might change it in the future using a java Filter.

Original comment by sectoola...@gmail.com on 16 Dec 2011 at 2:53