HawkScan Test Info for Cookie No HttpOnly Flag

Cookie No HttpOnly Flag


Plugin Id: 10010 | CWE: 1004


To remediate the “Cookie No HttpOnly Flag” vulnerability, the following steps can be taken:

  1. Enable the HttpOnly flag: Set the HttpOnly flag on all cookies to prevent them from being accessed by JavaScript. This can be done by adding the HttpOnly attribute to the Set-Cookie header when the cookie is being set. For example, in a web application using PHP, the setcookie function can be used with the httponly parameter set to true:

    setcookie('cookie_name', 'cookie_value', time() + 3600, '/', '', false, true);

    This will ensure that the cookie is only accessible over HTTP and cannot be accessed by JavaScript.

  2. Review and update cookie handling: Review the codebase to ensure that cookies are being handled securely. Make sure that sensitive information is not being stored in cookies and that cookies are properly validated and sanitized before being used.

  3. Implement secure session management: If the vulnerable cookie is a session cookie, consider implementing additional security measures such as session expiration, session regeneration after login, and using secure session storage mechanisms.


The “Cookie No HttpOnly Flag” vulnerability occurs when a cookie is set without the HttpOnly flag. The HttpOnly flag is a security feature that prevents cookies from being accessed by JavaScript. By default, cookies can be accessed by both the server and client-side scripts, including malicious scripts. If a malicious script is able to run on the same page as the vulnerable cookie, it can access and potentially steal the cookie’s value. This can lead to session hijacking, where an attacker gains unauthorized access to a user’s session.


The risks associated with the “Cookie No HttpOnly Flag” vulnerability include:

  1. Session hijacking: If the vulnerable cookie is a session cookie, an attacker can potentially hijack a user’s session by stealing the cookie’s value. This can allow the attacker to impersonate the user and perform actions on their behalf.

  2. Information disclosure: If the cookie contains sensitive information, such as user credentials or personal data, an attacker can access and steal this information. This can lead to identity theft, unauthorized access to accounts, or other privacy breaches.

  3. Cross-site scripting (XSS) attacks: The ability to access cookies through JavaScript can be exploited in conjunction with other vulnerabilities, such as cross-site scripting (XSS). An attacker can inject malicious scripts into a vulnerable page, which can then access and steal the cookie’s value. This can lead to further attacks, such as session hijacking or data manipulation.