Jump to content
MakeWebGames

Secure sessions against XSS


sniko

Recommended Posts

So, I was browsing YouTube, and I came across this guy and this

- which he could explain better than me, but in a nutshell, here's the information;

 

A malicious/naughty naughty person can 'extract' your session/cookie data using XSS through a query string, and 'use' it. (He explains it well in the video)
Anyway, he explains that a session/cookie not having
httponly
set to FALSE can be extracted using javascript, but if
httponly
is set to TRUE, the sessions/cookies can not be 'executed/manipulated/-whathaveyou-' through javascript - or it's hard to.
 
He uses a very good example in the
, extracting a cookie that holds his personal information, and shows that a cookie with
httponly
= TRUE was not extracted - quite a nifty, yet overlooked, hack/trick.

 

So how do I set httponly to TRUE?

session_set_cookie_params - php manual.

I encourage you to watch his

as it's really informative.

- Stay safe;

sniko

Link to comment
Share on other sites

But what if you want to manipulate the cookies client side within javascript?

Still seems rather helpful if I'm honest though, good share.

Ah yes, I forgot to mention that. Good thought.

You won't be able to, so I assume you'd have to compensate, or send the cookie value encrypted; even then it's not totally secure.

(I expect you knew the answer anyway, but wanted to raise the question for others)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...