HTTP by itself is a stateless protocol. Therefore the server is unable to determine which requests are performed by which client, and which clients are authenticated or unauthenticated.
The use of HTTP cookies within the headers, allows a web server to identify each individual client and can therefore determine which clients hold valid authentication, from those that do not. These are known as session cookies.
When a cookie is set by the server (sent the header of an HTTP response) there are several flags that can be set to configure the properties of the cookie and how it is to be handled by the browser.
The HttpOnly flag assists in the prevention of client side-scripts (such as JavaScript) accessing and using the cookie.
This can help prevent XSS attacks targeting the cookies holding the client’s session token (setting the HttpOnly flag does not prevent, nor safeguard against XSS vulnerabilities themselves).
| cookie | GET | https://wallet-test.eyesprotocol.io/ |
'보안 > 취약점' 카테고리의 다른 글
| HTML object (0) | 2022.04.26 |
|---|---|
| Allowed HTTP methods (0) | 2022.04.22 |
| Insecure cookie (0) | 2022.04.22 |
| Private IP address disclosure (0) | 2022.04.22 |
| Missing 'X-Frame-Options' header (0) | 2022.04.22 |