What is httponly cookie?

  • 198
  •  
  •  
  •  
  •  
  •  
  •  
    198
    Shares

HttpOnly is a flag added to cookies that tell the browser not to display the cookie through client-side scripts (document.cookie and others). The agenda behind HttpOnly is not to spill out cookies when an XSS flaw exists, as a hacker might be able to run their script but the fundamental benefit of having an XSS vulnerability (the ability steal cookies and hijack a currently established session) is lost.

When you set a cookie with the HttpOnly flag, it informs the browser that this special cookie should only be accessed by the server. Any try to access the cookie from client side script is strictly forbidden. Of course, this presumes you have: A modern web browser.

HttpOnly cookies were first presented in Microsoft’s Internet Explorer 6 SP1, and as of now, this has become a popular practice while setting session cookies.

The syntax of this is as follows:
Set-Cookie: Name=Value; expires=Wednesday, 01-May-2014 12:45:10 GMT; HttpOnly

In this HTTP header ; HttpOnly tells the browser to save the cookie without displaying it to client-side scripts. A secure flag, on the other hand, forces the browser to send cookies through an encrypted channel such as HTTPS, which stops eavesdropping, especially when an HTTPS connection is downgraded to HTTP through tools such as SSLStrip and
so on.

The syntax for this is as follows:
Set-Cookie: Name=Value; expires=Wednesday, 01-May-2014 12:45:10 GMT; Secure

In this HTTP header ; Secure tells the browser to send a cookie through a secure encrypted channel.

The following two tabs change content below.
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Do NOT follow this link or you will be banned from the site!