Weakness reference
CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag

This weakness occurs when a web application stores sensitive data such as session tokens, authentication credentials, or user identifiers in a cookie without…

01Summary

This weakness occurs when a web application stores sensitive data (such as session tokens, authentication credentials, or user identifiers) in a cookie without setting the HttpOnly flag. Without this flag, client-side JavaScript can read the cookie, making it vulnerable to theft if an attacker can inject malicious scripts into the page—a common attack vector known as Cross-Site Scripting (XSS).

02How It Happens

When a cookie is created without the HttpOnly attribute, the browser allows any JavaScript running in the same origin to access it via document.cookie. If an attacker exploits an XSS vulnerability to inject malicious JavaScript, that script can read and exfiltrate sensitive cookies to an attacker-controlled server. The HttpOnly flag restricts cookie access to HTTP(S) requests only, preventing JavaScript from reading it. This is a simple but critical defense layer that many developers overlook, especially when setting cookies manually rather than relying on framework defaults.

03Real-World Impact

An attacker who steals a session cookie can impersonate the legitimate user without needing their password. This can lead to unauthorized account access, data theft, fraudulent transactions, or privilege escalation if the compromised account has administrative rights. Even if other security measures (like CSRF tokens) are in place, a stolen session cookie often bypasses them entirely. The risk is amplified in applications handling financial data, personal information, or administrative functions.

04Vulnerable & Fixed Patterns

Vulnerable pattern
from flask import Flask, make_response

app = Flask(__name__)

@app.route('/login', methods=['POST'])
def login():
    user_id = authenticate_user(request.form)
    response = make_response("Login successful")
    response.set_cookie('session_token', user_id, max_age=3600)
    return response

Why it's vulnerable:
The cookie is set without the httponly=True parameter, allowing any JavaScript on the page to read document.cookie and access the session token.

Fixed pattern
from flask import Flask, make_response

app = Flask(__name__)

@app.route('/login', methods=['POST'])
def login():
    user_id = authenticate_user(request.form)
    response = make_response("Login successful")
    response.set_cookie('session_token', user_id, max_age=3600, 
                        httponly=True, secure=True, samesite='Strict')
    return response
Vulnerable pattern
<?php
session_start();
$user_id = authenticate_user($_POST);

// Cookie set without HttpOnly flag
setcookie('auth_token', $user_id, time() + 3600, '/');
?>

Why it's vulnerable:
The setcookie() call omits the httponly parameter (or sets it to false), leaving the cookie readable by JavaScript.

Fixed pattern
<?php
session_start();
$user_id = authenticate_user($_POST);

// Cookie set with HttpOnly, Secure, and SameSite flags
setcookie('auth_token', $user_id, [
    'expires' => time() + 3600,
    'path' => '/',
    'httponly' => true,
    'secure' => true,
    'samesite' => 'Strict'
]);
?>

05Prevention Checklist

Always set HttpOnly=true
on any cookie containing authentication tokens, session IDs, or user identifiers.
Pair HttpOnly with Secure
to ensure cookies are only transmitted over HTTPS, preventing interception on unencrypted connections.
Use SameSite attribute
(set to Strict or Lax) to mitigate Cross-Site Request Forgery (CSRF) attacks.
Audit existing cookies
in your application; use browser developer tools (Application/Storage tab) to verify all sensitive cookies have HttpOnly set.
Use framework session handlers
(e.g., Flask sessions, PHP session_start() with proper configuration) rather than manual cookie management when possible—they often apply secure defaults.
Test with XSS payloads
in a controlled environment to confirm that injected scripts cannot access sensitive cookies.

06Signs You May Already Be Affected

Check your application's cookies using browser developer tools (F12 → Application/Storage → Cookies). If you see cookies containing session tokens, user IDs, or authentication data without an "HttpOnly" label, they are vulnerable. Review your web server and application logs for signs of XSS exploitation (unusual script tags in query parameters or POST data, unexpected JavaScript errors, or suspicious cookie access patterns). If you have deployed patches for XSS vulnerabilities recently, re-audit all cookies set by the patched code.

07Related Recent Vulnerabilities