Burp Suite User Forum

Create new post

security testing

Neha | Last updated: Jun 09, 2017 07:09AM UTC

Hi Team, We have tested one app in which we have set cookie as secure & HTTPONLY from code level. But still its showing us below issue during scanning. "Cookie without httponly flag set" Kindly suggest why its showing this if its already fixed. Thanks

PortSwigger Agent | Last updated: Jun 09, 2017 07:32AM UTC

When you click on the issue, you should see a Request and Response tab. You may need to expand the issue and pick one particular instance. The Response will show the Set-Cookie header, which you can review to determine if HttpOnly is present. The cookie options only have a security impact on session cookies. It may be that Burp is reporting this issue for a cookie that has no security significance - that's something you would need to confirm manually.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.