This article is a part of our Web Security Knowledge Base (back to index)
Why Session ID Cookie Accessible to JavaScript can be dangerous
A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript in the client’s web browser. In conjunction with another vulnerability such as Cross-Site Scripting (see XSS), this may allow the session to be hijacked (see Session Fixation).
How to fix Session ID Cookie Accessible to JavaScript
To prevent a Cookie containing a Session ID from being accessed by JavaScript in the web browser, use the “httponly” flag when setting it.
How does ScanRepeat report Session ID Cookie Accessible to JavaScript
ScanRepeat checks if the cookie containing a Session ID uses the “httponly” flag. It alerts every occurrence of the “httponly” flag being missing for the Session ID Cookie, providing its name and value.
Would you like to test your application now against this problem? Sign up for our free trial
Scan Your Web App Now