3.7 Ensure 'cookies' are set with HttpOnly attribute - Applications

Information

The httpOnlyCookies attribute of the httpCookies node determines if IIS will set the HttpOnly flag on HTTP cookies it sets. The HttpOnly flag indicates to the user agent that the cookie must not be accessible by client-side script (i.e document.cookie).

It is recommended that the httpOnlyCookies attribute be set to true.

Rationale:

When cookies are set with the HttpOnly flag, they cannot be accessed by client-side scripting running in the user's browser. Preventing client-side scripting from accessing cookie content may reduce the probability of a cross site scripting attack materializing into a successful session hijack.

Impact:

N/A

Solution

Locate and open the application's web.config file

Add the <httpCookies httpOnlyCookies='true' /> tag within <system.web>:

<configuration>
<system.web>
<httpCookies httpOnlyCookies='true' />
</system.web>
</configuration>

Setting the value of the httpOnlyCookies attribute of the httpCookies element to true will add the HttpOnly flag to all the cookies set by the application. All modern versions of browsers recognize HttpOnly attribute; older versions will either treat them as normal cookies or simply ignore them altogether.

Default Value:

By default, ASP.NET 2.0 does not force cookies to httpOnly.

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-8, CSCv7|18

Plugin: Windows

Control ID: 0976008fe484d63b1985c7d0772f586a5913ed74eca77d8a1166fd448d523953