This weakness occurs when a web application stores sensitive data such as session tokens, authentication credentials, or user identifiers in a cookie without…
This weakness occurs when a web application stores sensitive data (such as session tokens, authentication credentials, or user identifiers) in a cookie without setting the HttpOnly flag. Without this flag, client-side JavaScript can read the cookie, making it vulnerable to theft if an attacker can inject malicious scripts into the page—a common attack vector known as Cross-Site Scripting (XSS).
02How It Happens
When a cookie is created without the HttpOnly attribute, the browser allows any JavaScript running in the same origin to access it via document.cookie. If an attacker exploits an XSS vulnerability to inject malicious JavaScript, that script can read and exfiltrate sensitive cookies to an attacker-controlled server. The HttpOnly flag restricts cookie access to HTTP(S) requests only, preventing JavaScript from reading it. This is a simple but critical defense layer that many developers overlook, especially when setting cookies manually rather than relying on framework defaults.
03Real-World Impact
An attacker who steals a session cookie can impersonate the legitimate user without needing their password. This can lead to unauthorized account access, data theft, fraudulent transactions, or privilege escalation if the compromised account has administrative rights. Even if other security measures (like CSRF tokens) are in place, a stolen session cookie often bypasses them entirely. The risk is amplified in applications handling financial data, personal information, or administrative functions.
Why it's vulnerable: The cookie is set without the httponly=True parameter, allowing any JavaScript on the page to read document.cookie and access the session token.
Always set HttpOnly=true on any cookie containing authentication tokens, session IDs, or user identifiers.
Pair HttpOnly with Secure to ensure cookies are only transmitted over HTTPS, preventing interception on unencrypted connections.
Use SameSite attribute (set to Strict or Lax) to mitigate Cross-Site Request Forgery (CSRF) attacks.
Audit existing cookies in your application; use browser developer tools (Application/Storage tab) to verify all sensitive cookies have HttpOnly set.
Use framework session handlers (e.g., Flask sessions, PHP session_start() with proper configuration) rather than manual cookie management when possible—they often apply secure defaults.
Test with XSS payloads in a controlled environment to confirm that injected scripts cannot access sensitive cookies.
06Signs You May Already Be Affected
Check your application's cookies using browser developer tools (F12 → Application/Storage → Cookies). If you see cookies containing session tokens, user IDs, or authentication data without an "HttpOnly" label, they are vulnerable. Review your web server and application logs for signs of XSS exploitation (unusual script tags in query parameters or POST data, unexpected JavaScript errors, or suspicious cookie access patterns). If you have deployed patches for XSS vulnerabilities recently, re-audit all cookies set by the patched code.