Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PCI Scan - HTTP-only flag for cookies

Posted on 2013-11-14
1
Medium Priority
?
470 Views
Last Modified: 2013-11-14
Hello

We have a request to change some code on our site to get PCI compliant. The request is as follows.

******
The application does not utilise HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the "HttpOnly" flag to be accessed via client-side scripts.

An attacker can easily steal a user's session if the attacker is able to manipulate the JavaScript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS).
*******

Can anyone briefly confirm what the issue is here an what we need to do? Is there a line of code we need to change or insert. Any comment much appreciated.
0
Comment
Question by:gregnvt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 2000 total points
ID: 39649689
See here: http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie  Further down on that page it shows the structure.  Your programming language will have a way to set the 'HTTPonly' parameter.
1

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question