Skip to main content

Insecurely generated cookies - HttpOnly


Secure generation of cookies with the HttpOnly attribute


  • Usage of Scala for building scalable and high-performance applications
  • Usage of play.api.mvc for handling HTTP requests and responses in Play Framework


Non compliant code

import play.api.mvc._

val cookie = Cookie("session", "your-session-id")

In the above code, we are creating a cookie named "session" with a value of "your-session-id". However, we are not setting the HttpOnly attribute for the cookie. The HttpOnly attribute is a flag that can be included in a Set-Cookie HTTP response header. If it's set, it instructs the browser that the cookie should be inaccessible to client-side scripts, which can help to mitigate certain types of cross-site scripting (XSS) attacks.

Without the HttpOnly attribute, the cookie can be accessed through client-side scripts, which can expose the cookie's data to potential attacks. For example, if an attacker can inject malicious scripts into the web page (through XSS or other means), they can read the cookie data and potentially use it for session hijacking or other malicious activities.

Therefore, it's a security best practice to set the HttpOnly attribute for cookies whenever possible, especially for cookies that contain sensitive data such as session identifiers.


  • Set the 'HttpOnly' attribute when generating cookies.
  • Use the 'withHttpOnly' method to set the 'HttpOnly' attribute for the generated cookie.
  • Ensure that the 'HttpOnly' attribute is set to 'true' to prevent client-side scripts from accessing the cookie.
  • Test the application to verify that the 'HttpOnly' attribute is properly set for the generated cookies.

Compliant code

import play.api.mvc._

val cookie = Cookie("session", "your-session-id", httpOnly = true)

The original code was generating a cookie without setting the HttpOnly attribute. This attribute is crucial for security as it prevents client-side scripts from accessing the cookie. If not set, it could potentially lead to Cross-Site Scripting (XSS) attacks where malicious scripts are injected into trusted websites.

The fixed code sets the HttpOnly attribute to true when generating the cookie. This is done by passing httpOnly = true as a parameter when creating the Cookie object.

After the fix, the cookie is generated with the HttpOnly attribute set to true, which means it cannot be accessed through client-side scripts, thus mitigating the risk of XSS attacks.

It's important to test the application after applying this fix to ensure that the HttpOnly attribute is properly set for all generated cookies and that the application functionality remains intact.