In this lesson, we'll learn how to set the httpOnly flag on our session id cookie to ensure it is inaccessible from javascript, thereby defeating theft of the session id from the XSS attack we crafted in the previous lesson. However, we'll still leave ourselves open to other dangers from XSS, which we'll exploit in our next lesson!
Instructor: [00:00] Now that we've proven our site is vulnerable to XSS and that we could use that XSS to steal a document and cookie, let's fix that problem. In later lesson, I'll show you how to fix XSS in general. First, let's focus on simply protecting document.cookie.
[00:15] By default, when a browser sets a cookie, it's accessed both via either document.cookie or is sent in every request to the target domain. We can inspect the response from our server and see that when it sets cookie, it doesn't set the HTTP only flag. Let's fix that.
[00:32] We'll go over to our index file and we'll see where the session cookie settings are saved. We'll notice that we've had HTTP only set to false. If we remove this property from our cookie configuration and hit save, clear our cookies and reload, we'll see that now the setcookie call sets the HTTP only flag.
[00:57] If we log back in and attempt to post our malicious payload again, we can see if that the XSS still succeeds, but the payload it sends does not contain the actual cookie value. Indeed, the server's unable to log anything.
[01:18] What this means is that if you don't need to access programmatically to document.cookie in your application, set the HTTP only flag when sending cookies.
Member comments are a way for members to communicate, interact, and ask questions about a lesson.
The instructor or someone from the community might respond to your question Here are a few basic guidelines to commenting on egghead.io
Be on-Topic
Comments are for discussing a lesson. If you're having a general issue with the website functionality, please contact us at support@egghead.io.
Avoid meta-discussion
Code Problems?
Should be accompanied by code! Codesandbox or Stackblitz provide a way to share code and discuss it in context
Details and Context
Vague question? Vague answer. Any details and context you can provide will lure more interesting answers!