Burp Suite User Forum

Login to post

cookies with small values length are ignored

Tiago | Last updated: Aug 07, 2017 12:34PM UTC

I've noticed that missing httponly is not reported for cookies whose values are less than 5 characters long. It this on purpose? Why? thanks

PortSwigger Agent | Last updated: Aug 07, 2017 12:58PM UTC

Hi Tiago, This behavior is by design. The HttpOnly flag is useful for cookies whose content is secret, such as session tokens. They're not needed for other cookies. A cookie shorter than 5 characters could never be a session cookie - it's too short to resist brute force attacks.

You need to Log in to post a reply. Or register here, for free.