Questions tagged [httponly]

HttpOnly is a flag in the cookie header to hide data from JavaScript

HttpOnly is a flag in the cookie header, indicating that the browser should hide this cookie from JavaScript and only use it for HTTP and HTTPS requests.

Important Note

HttpOnly just makes exploiting XSS vulnerabilities a little more difficult. It does not provide protection against XSS.

External Links

241 questions

votes

0 answers

Custom 404 not setting HTTPONLY on cookies using Classic ASP and IIS 7

I am having an issue with getting IIS7 to make all of my session cookies HTTPONLY when using a custom 404 page. This is my webconfig:

asked Feb 12 '14 at 20:55

rjprince11

votes

1 answer

Does HTTPOnly flag apply to persistent cookies

I understand HTTPOnly flag applies to session cookies. Does it apply to persistent cookies? Is anyone able to provide a reference? I have checked http://tools.ietf.org/rfc/rfc6265.txt on HTTPOnly flag but it is not explicitly stated.

persistent httponly

asked Jan 25 '14 at 02:23

user3234132

votes

1 answer

Why can't both HTTP Only and Secure flags be set in the cookies using Apache WebLogic?

My architect tells me that when using Apache to Front-end WebLogic, WebLogic can't set the Secure flag in the cookies. Why is that? We are using Apache to create FIPS 140-2 compliant HTTPS connections. Update: The reason given is that "The cookie…

apache weblogic httponly

asked Nov 19 '13 at 14:29

Mike Jr

1,549
3
13
20

votes

1 answer

HttpOnly and Secure flag testing

I have set the following under web.config in my app

asp.net session-cookies httponly

asked May 13 '13 at 20:14

overloading

1,133
4
20
44

votes

1 answer

are there implicit cookies created while web navigation? / httpOnly flag

In my website I am not using any kind of cookies, everything goes through server-side session handling. (no setcookie instruction at all) But still, using Acunetix website vulnerability checker, I get a report about "Session cookie without httpOnly…

php security session cookies httponly

asked Mar 16 '13 at 14:40

Sebas

19,640
9
48
103

votes

1 answer

HttpOnly and Secure not set for sub path cookie

I have the following in web.config... These settings are being applied to my site's cookies correctly except for a cookie called 'UMB_PANEL' with a path of '/umbraco'. I have tried adding a…

asp.net umbraco httponly

asked Jan 15 '13 at 14:21

Ian Warburton

13,336
19
85
164

votes

1 answer

Need Cookies value on client side with Httponly attribute true

We are setting the parameter httpOnly true in web.xml file to prevent the cookie creation at client side. This is causing the reading the cookies values .we are using the following way to read the JSESSIONID cookie in…

javascript gwt session-cookies httponly

asked Nov 30 '12 at 13:15

bNd

7,168
4
35
69

votes

1 answer

httpservletrequest is null when http-only is set to true

I am using JBoss 7 and I have configure my session config in web.xml as follows:

240

true

However, in my servlet, i am getting a nullpointerexception when…

session jboss7.x httponly

asked Nov 06 '12 at 08:02

user1066568

votes

1 answer

How can I tell if httponly is set in my application

Without looking over the shoulder of a developer, how can I tell if HTTPonly is set properly from the front end of my web application?

.net httponly

asked Aug 24 '09 at 19:23

eerik aljas

votes

2 answers

httponly cookie web 3.0 causing unexpected timeout

Just recently, I migrated from web 2.4 to web 3.0. One of the requirements of this migration was that, I need to introduce the 'httponly' cookie in my application. So, I added the following sessionconfig element to my…

jboss7.x servlet-3.0 httponly

asked Oct 14 '12 at 06:15

user1066568

votes

4 answers

Get HttpOnly cookies with javascript

do you know of any way to get access to HttpOnly cookies using javascript. I know that the point of those cookies is that you won't be able to get them this way (for security reasons). But still, is there absolutely now way to achieve this? Hasn't…

javascript cookies httponly

asked Jul 21 '12 at 22:59

user1094565

-1

votes

1 answer

Express to express - How can httpOnly cookie can be forwarded?

When the frontend (A) is hitting the backend for /login, The backend ExpressJs (B) responds with a httpOnly cookie by doing: ctx.res.cookie('auth-token', jwt.sign({ userId: userId }, APP_SECRET, { expiresIn: 100000 }), { httpOnly: true, …

express jwt httponly

asked May 25 '21 at 20:42

Alan

4,576
25
43

-1

votes

1 answer

How use JWT payload to store session user data?

I am building a web application with an API BACK-END side written in Symfony and a FRONT-END side written with Angular 7. My problem is to retrieve user data from the back-end and to store it in session on front-end side. I use JWT for…

angular symfony session jwt httponly

asked Apr 05 '19 at 14:59

Moran_bzh

-1

votes

1 answer

exclude regular expression

I have a regular expression for the HttpOnly configuration : Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure For Appdynamics EUM, i want to exclude from this regular expression everything that begin with "ADRUM" (without quotes). How can i proceed…

regex apache httponly mod-headers

asked Jun 06 '16 at 12:59

Ludovic LACHEVRE

-1

votes

1 answer

ASPSESSIONID missing HTTPONLY attribute for classic ASP

I am trying to find a way to enable HTTPONLY on the ASPSESSIONID cookie that is auto generated for classic ASP sites. I know that .NET 2.0+ sites have the ASP session cookie defaulted to HTTPONLY, but I need to get this configured for classic ASP. I…

asp-classic iis-6 pci-compliance httponly

asked Dec 14 '12 at 06:48

user1903219

Prev 1 2 3

…

17 Next