A client arranged penetration testing in order to achieve PCI compliance and it was found that not all cookies contained the HttpOnly flag, which is an automatic fail because apparently you are more vulnerable to XSS attacks if you don’t set your cookies to use HttpOnly.
This problem turned out to be caused by the HAProxy load balancer not adding HttpOnly to its persistence (sticky session) cookies, so I checked the HAProxy manual and did some googling, but I couldn’t find any way of making HAProxy’s persistence cookies add the HttpOnly flag.
The HAProxy website says “if you want to suggest a useful feature, please discuss it on the mailing list” so I’ve tried to do just that but have not had any response yet. In the meantime, I’ve modified the code myself so that the HttpOnly flag is added to all persistence cookies. For version 1.4.21 of HAProxy, patching src/proto/http.c with the following will add my modification to achieve this:
5348a5349,5350
> len += sprintf(trash+len, "; HttpOnly");
>Hopefully this is something the HAProxy developers will add permanently as an option, otherwise it’s quite awkward for HAProxy users needing to pass compliance tests whilst using persistence cookies.
Edit: Willy, the developer of HAProxy, has replied on the mailing list to indicate that he’ll be adding an httponly option to the cookie parameter in version 1.5 of HAProxy, so that’s great news. In the meantime, my little hack above can be used for those needing HttpOnly on version 1.4.
Edit: This has now been added as an option in version 1.4.22 of HAProxy.