QIWI: Session Cookie without HttpOnly and secure flag set

ID H1:75357
Type hackerone
Reporter pradeepch99
Modified 2015-09-27T08:36:43


vulnerable URL:https://portal.int.qiwi.com/login.php The PHPSESSID cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only accessed by the server and not by client-side scripts. This is an important security protection for session cookies.