Greetings Gentel Men, I'm here to Give a Simple & Understandable concept of HttpOnly Falg. First time This Technique was used by MS-IE Developers in IE-6 with XP-sp1 Version.
HttpOnly
HttpOnly is an Additional Flag in Http Header Response named as set-cookie. and Usually using this httponly falg help in mitigating client side & server side Attacks.
Syntax:
Set-Cookie: name=UrduSecuirty; Max-Age=600; expires=01/04/2014; domain=urdusecurity.blogspot.com; path=/; secure; HttpOnly
Why HttpOnly
HttpOnly flag 'hypertext transfer protocol' response header is additional in, the cookie can't be accessed through consumer aspect script. As a result, a cross-site scripting flaw exists, and a user accidentally accesses a link that exploits this flaw even though the browser to a 3rd party cookie won't show.
When we visit a web page and if We are Not able to see 'set-cookie' & 'HttpOnly' tags in response , be sure that website have no security becase its cookies can be stolen easily.
Setting HttpOnly Cookies
PHP => add this in PHP.ini
Python(CherryPy) =>add in Config Filesession.cookie_httponly = True
session.cookie_httponly = True
Hope You Guys Enjoyed Reading this tutorial, its not briefly explained but its noob Friendly so that Every one can Understand. Soon I'l Post that how can we Access HttpOnly cookies Also.
What & Why HttpOnly Flag
Views:
Category:
WebAppSec
Hi All!
ReplyDeleteI'm selling fresh & genuine SSN Leads, with good connectivity. All data is tested & verified.
Headers in Leads:
First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank NAME | DL Number | House Owner
*You can ask for sample before any deal
*Each SSN lead will be cost $1
*Premium Lead will be cost $5
*If anyone wants in bulk I will negotiate
*Sampling is just for serious buyers
Hope for the long term deal
For detailed information please contact me on:
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040