Stack Overflow
Stack Overflow

Questions tagged [httponly]

HttpOnly is a flag in the cookie header to hide data from JavaScript

HttpOnly is a flag in the cookie header, indicating that the browser should hide this cookie from JavaScript and only use it for HTTP and HTTPS requests.

Important Note

HttpOnly just makes exploiting XSS vulnerabilities a little more difficult. It does not provide protection against XSS.

External Links

241 questions
7
votes
1 answer

How to set httpOnly flag in ngCookies?

I have a JWT token that I'd like to store in a cookie. The cookie needs to have at least HttpOnly flag set, but I would also want to set the Secure flag to true. From the angular docs I know I can store my token in cookies like this: // using…
rublex
  • 1,763
  • 1
  • 21
  • 43
6
votes
1 answer

Why are HTTPOnly Cookies not being set correctly in IE9?

I have setup my ColdFusion application to set HTTPOnly cookies using the code below (from http://www.petefreitag.com/item/764.cfm): THIS.Name = "MyCFApp"; THIS.SessionManagement = true; …
Eric Belair
  • 10,296
  • 13
  • 70
  • 107
6
votes
3 answers

Forcing HttpOnly cookies with JRun/ColdFusion

We need to ensure that all cookies on a CF7 site are set as HttpOnly. We are using jsessionid to control our sessions, and JRun does not create this as HttpOnly. Whilst it is possible to modify an existing cookie to add this setting, we need to have…
Peter Boughton
  • 102,341
  • 30
  • 116
  • 172
5
votes
2 answers

can't access httponly cookie from react js but can access in postman app! how is it possible?

I send a request to server to login and get cookie with token value with HTTP only tag after this action I can not access cookie value in my react app but I tested it in the postman app and i can see cookie in this app if I can see it in the postman…
Mohsen Mohebbi
  • 55
  • 1
  • 6
5
votes
1 answer

Django won't set HttpOnly for csrftoken cookie

In my Django's settings.py I have SESSION_COOKIE_HTTPONLY = True SECURE_CONTENT_TYPE_NOSNIFF = True SECURE_BROWSER_XSS_FILTER = True X_FRAME_OPTIONS = 'DENY' SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True SECURE_SSL_REDIRECT =…
texnic
  • 3,535
  • 4
  • 30
  • 68
5
votes
1 answer

Session Cookie HTTPOnly flag not set on response from logout (Django)

I have a Django application and am configuring some security settings. One of the settings is the SESSION_COOKIE_HTTPONLY flag. I set this flag to True. On session creation (login) I can see the session HTTPOnly flag set if I inspect cookies. On…
Brian Ambielli
  • 542
  • 5
  • 23
5
votes
0 answers

Cannot see Request or Response Cookie headers on external device phonegap app

While developing a phonegap application, I can see the SetCookie header in responses from XHR login requests to an API I am using. As expected, when I inspect subsequent requests, I see the cookie being sent. I can also see that it is an httpOnly…
basicallydan
  • 1,984
  • 3
  • 24
  • 39
5
votes
0 answers

ASP.NET HttpOnly cookie in web.config not working

From everything I've read online, a web.config like this should enable HttpOnly cookies, in ASP.NET 2.0. However this is not working. ... Is…
jmosesman
  • 706
  • 1
  • 11
  • 23
5
votes
7 answers

Drop any session from client side

I'm preparing some diagnostic tool. It operates on the website in the iframe - only by javascript. Now what I need is to get rid of session cookie in the website that I have in my iframe. I just need to be logged out after performing some…
ŁukaszW.pl
  • 9,244
  • 5
  • 34
  • 59
4
votes
2 answers

session cookie httponly false rails 3.1

I'm trying to turn httponly off for use in phonegap. I'm useing rails 3.1 and devise, each of which have reported (but not documented) ways of doing this, none of which work: # application.rb config.session_options = { :httponly => false } # no…
Peter Ehrlich
  • 6,586
  • 4
  • 44
  • 58
4
votes
1 answer

Can I access HttpOnly cookie using IHTMLDocument2 in ActiveX?

Can I access session cookies marked as HttpOnly via IHTMLDocument2::cookie inside ActiveX running in Internet Explorer 11? Here is the code example that comes from the answer to this question: CComPtr pDoc // get document from event…
IT Hit WebDAV
  • 5,041
  • 12
  • 50
  • 88
4
votes
2 answers

Add HttpOnly flag to cookies on the fly with Apache?

So I have a java webapp that uses tomcat with an apache proxy layer. I'm looking to make all cookies set from the app have the httpOnly flag. The problem with this is that tomcat is responsible for setting the flag from the application side and its…
Zack
  • 1,071
  • 1
  • 11
  • 24
4
votes
0 answers

HttpOnly cookie and XSRF-TOKEN in angular js

I have an angular js web application with play framework as server side. I am using Google plus sign-in button to authenticate users. I need to authenticate all my ajax calls in the server side. After going through documentation that's available on…
DBS
  • 714
  • 1
  • 7
  • 19
4
votes
1 answer

Will http_only cookies be sent with AJAX?

I found this link But at the bottom it says This information is likely no longer up to date. So my question is, will http_only cookies be sent with AJAX? Can the response via AJAX set http_only cookies? Edit 1: Let's say an user logged in to the…
Ezio_
  • 555
  • 3
  • 7
  • 23
4
votes
2 answers

HttpOnly cookies on google app engine java

Anyone know how I can use httponly cookies for sessions and cookies on the app engine? In the javadoc for the Cookie class, http://java.sun.com/javaee/6/docs/api/javax/servlet/http/Cookie.html#setHttpOnly(boolean) , there is a setHttpOnly method. I…
Kyle
  • 20,061
  • 36
  • 105
  • 192
1 2
3
16 17