Secure sessions against XSS

[sniko]

So, I was browsing YouTube, and I came across this guy and this

- which he could explain better than me, but in a nutshell, here's the information;

 

A malicious/naughty naughty person can 'extract' your session/cookie data using XSS through a query string, and 'use' it. (He explains it well in the video)

Anyway, he explains that a session/cookie not having

httponly

set to FALSE can be extracted using javascript, but if

httponly

is set to TRUE, the sessions/cookies can not be 'executed/manipulated/-whathaveyou-' through javascript - or it's hard to.

 

He uses a very good example in the

, extracting a cookie that holds his personal information, and shows that a cookie with

httponly

= TRUE was not extracted - quite a nifty, yet overlooked, hack/trick.

 

So how do I set httponly to TRUE?

session_set_cookie_params - php manual.

I encourage you to watch his

as it's really informative.

- Stay safe;

sniko

[Dave]

But what if you want to manipulate the cookies client side within javascript?

Still seems rather helpful if I'm honest though, good share.

[sniko]

But what if you want to manipulate the cookies client side within javascript?

Still seems rather helpful if I'm honest though, good share.

Ah yes, I forgot to mention that. Good thought.

You won't be able to, so I assume you'd have to compensate, or send the cookie value encrypted; even then it's not totally secure.

(I expect you knew the answer anyway, but wanted to raise the question for others)

[a_bertrand]

What it teach you: never put on the page untrusted / not checked text. That's the main thing.

[Spudinski]

"You must spread some Reputation around before giving it to a_bertrand again."

+1