Stack Overflow
Stack Overflow

Questions tagged [httponly]

HttpOnly is a flag in the cookie header to hide data from JavaScript

HttpOnly is a flag in the cookie header, indicating that the browser should hide this cookie from JavaScript and only use it for HTTP and HTTPS requests.

Important Note

HttpOnly just makes exploiting XSS vulnerabilities a little more difficult. It does not provide protection against XSS.

External Links

241 questions
200
votes
9 answers

How do HttpOnly cookies work with AJAX requests?

JavaScript needs access to cookies if AJAX is used on a site with access restrictions based on cookies. Will HttpOnly cookies work on an AJAX site? Edit: Microsoft created a way to prevent XSS attacks by disallowing JavaScript access to cookies if…
Shawn
  • 18,369
  • 19
  • 95
  • 151
94
votes
10 answers

How do you set up use HttpOnly cookies in PHP

How can I set the cookies in my PHP apps as HttpOnly cookies?
Scott Warren
  • 959
  • 1
  • 8
  • 5
77
votes
10 answers

How do you configure HttpOnly cookies in tomcat / java webapps?

After reading Jeff's blog post on Protecting Your Cookies: HttpOnly. I'd like to implement HttpOnly cookies in my web application. How do you tell tomcat to use http only cookies for sessions?
ScArcher2
  • 78,317
  • 42
  • 111
  • 158
61
votes
4 answers

Chrome developer tools > resources > cookies > http column, does a checkmark here indicate HttpOnly cookie?

Does the checkmark at the Http column of Chrome devtool's Cookie resource panel indicate a HttpOnly cookie? I can't find docs that confirm this, though I suspect it is the case. I am trying to verify my app is using HttpOnly for session cookies.
user854894
50
votes
4 answers

How exactly do you configure httpOnlyCookies in ASP.NET?

Inspired by this CodingHorror article, "Protecting Your Cookies: HttpOnly" How do you set this property? Somewhere in the web config?
Teller
  • 725
  • 1
  • 7
  • 13
44
votes
5 answers

Which browsers do support HttpOnly cookies?

Which browsers do support HttpOnly cookies, and since which version? Please see http://www.codinghorror.com/blog/archives/001167.html for a discussion of HttpOnly cookies and XSS-prevention.
knorv
  • 45,461
  • 71
  • 205
  • 289
32
votes
7 answers

Setting HTTPONLY for Classic Asp Session Cookie

Does anyone know exactly how to set HTTPONLY on classic ASP session cookies? This is the final thing that's been flagged in a vulnerability scan and needs fixing ASAP, so any help is appreciated. ~~~A LITTLE MORE INFORMATION ON MY PROBLEM~~~ Can…
E.Shafii
  • 321
  • 1
  • 3
  • 4
28
votes
3 answers

Tomcat 7 sessionid cookie disable http-only and secure

I have a web application which is running on a Tomcat 7 server. The cookie with session id has by default the flags HttpOnly and Secure. I want to disable this flags for the JSESSIONID cookie. But it wont work. I have changed this in my web.xml file…
JEE-Dev
  • 281
  • 1
  • 3
  • 5
25
votes
1 answer

How do I set the HttpOnly flag of a cookie with javascript?

I'm trying to create a cookie, with the HttpOnly flag enabled. While there seems to be a plethora of resources about how to do it in Java and .Net, I need to do it in javascript. Here is my (currently failing) function createCookie =…
user617136
  • 293
  • 1
  • 3
  • 7
21
votes
5 answers

Add Secure and httpOnly Flags to Every Set-Cookie Response in Apache httpd

I'm running Apache 2.2.26: Server version: Apache/2.2.26 (Unix) Server built: Jan 17 2014 12:24:49 Cpanel::Easy::Apache v3.22.30 rev9999 +cloudlinux I'm attempting to use mod_headers to edit Set-Cookie headers and add the secure or httpOnly flag,…
Doug
  • 5,243
  • 7
  • 54
  • 89
20
votes
1 answer

Logout with HttpOnly cookie

I can see that HttpOnly cookies are good for security, however they make logging out without server interaction impossible, right?1 So when the network fails, you can't log out and leave. I can imagine a workaround, but I'd like to ask first does…
maaartinus
  • 40,991
  • 25
  • 130
  • 292
19
votes
4 answers

how do I test httpOnly cookie flag

I have set the following property in websphere for the jsession cookie com.ibm.ws.webcontainer.HTTPOnlyCookies. Any idea how best to test this using JavaScript in Firefox or IE?
streed
  • 221
  • 1
  • 2
  • 6
18
votes
4 answers

Check if httponly cookie exists in Javascript

As the question says can you find out if a cookie exists within Javascript if it is a HttpOnly? I don't need to access the information inside of it, just know it has one. A little more information on the situation is that there was originally a web…
Grofit
  • 15,299
  • 19
  • 84
  • 167
18
votes
4 answers

How do I set the session cookie's HttpOnly setting to false?

In Ruby on Rails, how do I set the session cookie's httpOnly setting to false?
kingjeffrey
  • 13,546
  • 6
  • 39
  • 47
18
votes
1 answer

Using IIS Rewrite to add HttpOnly Flag To Cookies Not Working

I found numerous examples of adding the HttpOnly to my cookies but it does not work for me and I am not sure why. All the examples I found were the same and I copied this one from one of the posts that I had found. I am using .NET 3.5 under IIS 7.0.…
mrhoades
  • 181
  • 1
  • 1
  • 5
1
2 3
16 17