Solved

PCI Scan - HTTP-only flag for cookies

Posted on 2013-11-14
1
450 Views
Last Modified: 2013-11-14
Hello

We have a request to change some code on our site to get PCI compliant. The request is as follows.

******
The application does not utilise HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the "HttpOnly" flag to be accessed via client-side scripts.

An attacker can easily steal a user's session if the attacker is able to manipulate the JavaScript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS).
*******

Can anyone briefly confirm what the issue is here an what we need to do? Is there a line of code we need to change or insert. Any comment much appreciated.
0
Comment
Question by:gregnvt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 39649689
See here: http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie  Further down on that page it shows the structure.  Your programming language will have a way to set the 'HTTPonly' parameter.
1

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Compromised PC? 17 263
Scan Mac for security breach? 5 99
Windows mapped drive communications - Secure? 5 78
Behavior-based and anomalies detection for McAfee 2 42
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question