0

In my website I am not using any kind of cookies, everything goes through server-side session handling. (no setcookie instruction at all)

But still, using Acunetix website vulnerability checker, I get a report about "Session cookie without httpOnly flag set"

Is there something I'm missing? Are there any implicit cookies anyway?

Thank you

Sebas
  • 21,192
  • 9
  • 55
  • 109
  • session_start() does an implicit setcookie() to store the session ID in the client browser as a cookie... **UNLESS** you've enabled trans_sid sessions in PHP, which is a horribly stupidly bad idea – Marc B Mar 16 '13 at 14:44
  • I see, that answers my question. How do I set the httpOnly flag for these cookies? – Sebas Mar 16 '13 at 14:51
  • 1
    http://php.net/manual/en/function.session-set-cookie-params.php – Marc B Mar 16 '13 at 14:53
  • thank you, I also took note of the `session.cookie-secure` parameter on my way. – Sebas Mar 16 '13 at 14:57

1 Answers1

1

Sessions are using cookies! Unless you transport the session id in URLs (which isn't good either), a session sets a cookie. A session consists of the server-side data storage and a session cookie, which contains a random id associating the client with the server-side data.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • thank you, is there any sensitive datas in the client side? How to apply the httponly flag to them? – Sebas Mar 16 '13 at 14:52
  • there'll only be sensitive data on the client if you put it there. a session ID **CAN** be sensitive, e.g. the session ID for your bank's login, v.s. a generally useless session for your average angst-ridden teenybopper's facebook login. – Marc B Mar 16 '13 at 14:54
  • No, I'm absolutely not storing any personal nor sensitive informations. I'll protect it anyway. Thank you guys, being a beginner has this cool that you learn every day :-) – Sebas Mar 16 '13 at 14:58