Cookie HttpOnly

Permalink 1 user found helpful
Hi! I was checking the security of my concrete5 site with OWASP ZAP and one of the low priority alerts says that the Cookie is set without HttpOnly flag.
The description of the problem is:
"A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible."

My questions are:
1.- I have to worry about it? Is a security risk?
2.- If is risky, how to fix it?

Thanks in advance and sorry for my bad english.

View Replies: View Best Answer