Cookie set without
HttpOnly
only flag54 $page = "libs/tinyfilemanager/tinyfilemanager.php";
55 }
56
57 setcookie("nu_".$appId, $_SESSION['nubuilder_session_data']['SESSION_ID']);58
59 return $page;
60}
Description
Cookies set without the httponly
flag can be read by a client-side script, leading to cookie theft from Cross-Site Scripting (XSS) attacks.
By default, setcookie
and setrawcookie
function creates cookie with httponly
value to false
. It is recommended to explicitly set httponly
to true
to prevent the risk.
In past it has led to vulnerabilities like:
Cross-Site Scripting (XSS) attacks target the theft of cookies set by application. If httponly
attribute is set to true
, it won't be possible to exploit the XSS vulnerability to steal application cookies.