Solved

PCI Scan - HTTP-only flag for cookies

Posted on 2013-11-14
1
456 Views
Last Modified: 2013-11-14
Hello

We have a request to change some code on our site to get PCI compliant. The request is as follows.

******
The application does not utilise HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the "HttpOnly" flag to be accessed via client-side scripts.

An attacker can easily steal a user's session if the attacker is able to manipulate the JavaScript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS).
*******

Can anyone briefly confirm what the issue is here an what we need to do? Is there a line of code we need to change or insert. Any comment much appreciated.
0
Comment
Question by:gregnvt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 39649689
See here: http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie  Further down on that page it shows the structure.  Your programming language will have a way to set the 'HTTPonly' parameter.
1

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question