Solved

PCI Scan - HTTP-only flag for cookies

Posted on 2013-11-14
1
447 Views
Last Modified: 2013-11-14
Hello

We have a request to change some code on our site to get PCI compliant. The request is as follows.

******
The application does not utilise HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the "HttpOnly" flag to be accessed via client-side scripts.

An attacker can easily steal a user's session if the attacker is able to manipulate the JavaScript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS).
*******

Can anyone briefly confirm what the issue is here an what we need to do? Is there a line of code we need to change or insert. Any comment much appreciated.
0
Comment
Question by:gregnvt
1 Comment
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 39649689
See here: http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie  Further down on that page it shows the structure.  Your programming language will have a way to set the 'HTTPonly' parameter.
1

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question