Not HTTP Only Cookie occurs when a web application sets cookies without the HttpOnly attribute. Cookies without this flag can be accessed via client-side scripts such as JavaScript, increasing the risk of theft through cross-site scripting (XSS) attacks or malicious browser extensions. This vulnerability can lead to session hijacking, unauthorized access, or exposure of sensitive information stored in cookies, such as authentication tokens or session identifiers.

Common patterns leading to cookies lacking the HttpOnly flag:

• Setting authentication or session cookies via server-side code without HttpOnly.
• Framework defaults that do not enforce HttpOnly unless explicitly configured.
• Using JavaScript to create cookies for authentication or sensitive data storage.
• Absence of secure cookie policies in server or application configuration.

Impacts:

• Session Hijacking: Attackers can steal session identifiers through XSS attacks or client-side scripts.
• Sensitive Data Exposure: Cookies may contain sensitive user data accessible to malicious scripts.
• Privilege Escalation: Stolen cookies may allow attackers to impersonate other users or gain elevated privileges.
• Increased Risk in Shared Devices: Other users or browser extensions can access non-HttpOnly cookies.

Detection indicators:

• Cookies returned in HTTP responses without the HttpOnly flag.
• Client-side scripts able to read session or authentication cookies.
• Security scanners flagging cookies missing security attributes.

Mitigation strategies focus on securing cookie attributes and handling:

1. Set HttpOnly Attribute on Sensitive Cookies
   Configure the web server or application framework to mark all authentication, session, and sensitive cookies as HttpOnly.

2. Use Secure Attribute
   Combine HttpOnly with Secure to ensure cookies are transmitted only over HTTPS connections.

3. Limit Cookie Scope
   Use the Path and Domain attributes to restrict where cookies are sent.

4. Avoid Storing Sensitive Data in Client-Accessible Cookies
   Do not store passwords, tokens, or other confidential information in cookies accessible via JavaScript.

5. Review Framework Defaults
   Check default cookie behavior in web frameworks and enforce HttpOnly where necessary.

6. Regular Security Testing
   Include checks for missing HttpOnly and Secure attributes during penetration testing and automated scans.

7. Monitor and Audit Cookies
   Review HTTP responses to ensure all sensitive cookies are properly flagged.

• HttpOnly Cookie
• Sensitive Cookie Without 'HttpOnly' Flag