⚠️ EDUCATIONAL DEMO: Demonstrates cookie security flag vulnerabilities. No real cookies are set or transmitted to any server.
Cookie Security Flags Demo
Missing HttpOnly and SameSite flags expose school session cookies to two distinct attacks.
THE SECURITY RISK IN PLAIN ENGLISH
When a staff member logs into the school portal, the server sets a cookie that acts as their "logged-in pass." Two flag settings control how safe that cookie is:
HttpOnly — prevents JavaScript from reading the cookie. Without it, any XSS vulnerability (even a comment box or search field) lets an attacker run JS that reads the session cookie and sends it to their server. No password needed — they just copy the cookie and they're in.
SameSite — prevents the cookie from being sent on cross-site requests. Without it, an attacker can embed a hidden form on their site that, when a staff member visits, automatically submits an action (change email, approve payment, delete record) using the staff member's live session — without them seeing anything.
🎣 Scenario: XSS steals session cookie via missing HttpOnly
❌ Cookie Set Without HttpOnly
Server set the cookie like this — JavaScript can read it freely:
Set-Cookie:session=eyJhb...
✕ HttpOnly flag: missing
Secure; SameSite=Lax
Attacker injects JS via a vulnerable comment field or URL parameter. The script runs and reads the cookie:
🛡️ Theft blocked. document.cookie returned "" — the session cookie is invisible to JavaScript. The attacker's script sent an empty string. Nothing stolen.
🖱️ Scenario: CSRF attack via missing SameSite flag
❌ Cookie Without SameSite
Staff member is logged into the school portal. Attacker sends them a phishing link. When they visit the attacker's page, this hidden form auto-submits using their live session:
📧 POST sent automatically.
The browser included the staff member's session cookie (no SameSite restriction). The school server sees a valid authenticated request and changes the email to attacker@evil.com. Account takeover complete — no click required beyond visiting the attacker's page.
✅ Cookie With SameSite=Lax
Same hidden form, same staff member. But the cookie has SameSite=Lax:
Set-Cookie:session=eyJhb...
HttpOnly; Secure;
SameSite=Lax
The browser refuses to attach the session cookie to any cross-site POST request:
🛡️ CSRF blocked.
The browser sent the POST but did not attach the session cookie — cross-site policy blocked it. The school server received an unauthenticated request and returned 401 Unauthorized. The attacker's form accomplished nothing.