• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 522
  • Last Modified:

PCI Scan - HTTP-only flag for cookies

Hello

We have a request to change some code on our site to get PCI compliant. The request is as follows.

******
The application does not utilise HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the "HttpOnly" flag to be accessed via client-side scripts.

An attacker can easily steal a user's session if the attacker is able to manipulate the JavaScript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS).
*******

Can anyone briefly confirm what the issue is here an what we need to do? Is there a line of code we need to change or insert. Any comment much appreciated.
0
gregnvt
Asked:
gregnvt
1 Solution
 
Dave BaldwinFixer of ProblemsCommented:
See here: http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie  Further down on that page it shows the structure.  Your programming language will have a way to set the 'HTTPonly' parameter.
1

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now