Jump to content

CSRF Attack and http-only attribute

Darth Florus

Recommended Posts

Mr. Farshad:


I was investigate about security issues because a auditoring in my customers.


I see that UniGui doesn't have Session Cookies, then is no problem the use of the parameter HttpOnly for the cookies.


I realice that have a javascript variable _S_ID with the Session ID value.


The HttpOnly parameters is to avoid a maliciosus javascript to get/set the Session Cookie ID, but implemening with a JavaScript Variable is more modificable and have not a way to avoid this. I'm right?


About CSRF attacks I want to ask if they are implemented a issue to avoid this type of attack.


Best Regards

Link to comment
Share on other sites

  • 3 years later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...