Cookies with HttpOnly Flag: Problem in Some Browsers
What about the case when session ID is regenerated after successful login? Can it be used somehow by the attacker? Then the attacker can switch a user to his own account by setting the user’s session to the one that the attacker is currently using. Then the user thinks that he is using his own account, and actually enters some sensitive information to the attacker’s account.
- Opera Mobile
- Opera Mini
- BlackBerry browser
The problem was reported to the vendors (4 February 2014).
Internet Explorer, Firefox and Opera (standard install) are not vulnerable to the aforementioned attack.
4. Response from vendors
BlackBerry responded that PlayBook tablet OS (I used this one while testing) has been announced as out of support as of April 2014 and the issue will not be fixed. However, the issue was reported before the OS end of support was announced and they decided to put me on Acknowledgements 2014 list of BlackBerry Security Incident Response Team (due to their policy my name will be put there by the end of April 2014) .
The issue was confirmed in Konqueror, but probably it will not be fixed. The conversation about this bug is available in KDE Bugtracking System .
The issue was reported to Apple two months ago, and since then I haven’t received any feedback from them.
5. Playing with the issue
Here is the simple piece of code:
print "Cookie1: ".$_COOKIE[‘cookie1’]."<br>";
print "Cookie2: ".$_COOKIE[‘cookie2’];
<script>document.cookie=’cookie1=100; expires=Thu, 2 Aug 2014 20:00:00 UTC; path=/’;</script>
 Understanding Session Fixation
https://resources.infosecinstitute.com/understanding-session-fixation/ (access date: 4 April 2014)
 Acknowledgements 2014 – BlackBerry Security Incident Response Team
(access date: 4 April 2014)
 KDE Bugtracking System – Bypassing HttpOnly cookie in Konqueror
https://bugs.kde.org/show_bug.cgi?id=330751 (access date: 4 April 2014)