104

I go to a forum which uses vBulletin 3.8. When I log in, I use firebug to see what cookies were set. I see these cookies:

__utmb, __utmc, __utma, __utmz, bbsessionhash, vbseo_loggedin, bbpassword, bbuserid, bblastactivity, bblastvisit

They all had a value set, and the domain was identical.

But when I use JavaScript to view them, it only saw these cookies:

__utmb, __utmc, __utma, __utmz, vbseo_loggedin, bblastactivity, bblastvisit

In firebug, I only see these three cookies: bbsessionhash, bbpasword and bbuserid, that were actually set. HTTPOnly in column HTTPOnly. What does it mean and is that the reason I can't see those cookies in JavaScript using document.cookie?

schweerelos
  • 2,189
  • 2
  • 17
  • 25
kiennt
  • 1,514
  • 2
  • 14
  • 13

1 Answers1

167

From http://en.wikipedia.org/wiki/HTTP_cookie:

Cookies are not directly visible to client-side programs such as JavaScript if they have been sent with the HttpOnly flag. From the point of view of the server, the only difference with respect of the normal case is that the set-cookie header line is added a new field containing the string `HttpOnly':

Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net; HttpOnly

When the browser receives such a cookie, it is supposed to use it as usual in the following HTTP exchanges, but not to make it visible to client-side scripts. The HttpOnly flag is not part of any standard, and is not implemented in all browsers.

Update from 2017: a lot of time had passed since 2009, and HttpOnly header flag is became a standard, defined in the section 5.2.6 of RFC6265, with the storage semantics described in the same document (look for "http-only-flag" throughout the RFC text).

There is no way to access anything about the HttpOnly cookies from "non-HTTP" APIs, e.g. JavaScript. By design, neither reading, nor writing such cookies is possible.

Community
  • 1
  • 1
drdaeman
  • 11,159
  • 7
  • 59
  • 104
  • 18
    But is there a way to access those cookies somehow from the frontend? Cookie manager Chrome extension is showing them, but document.cookie not. – Silver Ringvee Jul 18 '16 at 09:49
  • 13
    @SilverRingvee, sorry but there is none. If there is a way, it is a browser security bug (and a quite severe one) that should be reported and fixed.Browser extensions are different matters, though - they have higher privileges than website, and have access to the priliveged APIs (e.g. [`chrome.cookies.getAll` for Chrome](https://developer.chrome.com/extensions/cookies#method-getAll)) that can see all the cookies. – drdaeman Jul 20 '16 at 09:20
  • @SilverRingvee , have you found any way to access the cookies with HTTPOnly flag? – Rewanth Tammana Aug 08 '17 at 11:36
  • 6
    @RewanthCool and I have now realized that it would be a horribly bad security issue if it was possible. – Silver Ringvee Aug 08 '17 at 13:47
  • @SilverRingvee I tried using a XMLHTTPRequest but no use. Here is the reference: https://forums.asp.net/t/1697306.aspx?It+possiible+to+read+cookies+in+JS+with+httpOnly+flag . Check this out !! – Rewanth Tammana Aug 08 '17 at 13:52
  • So what would be the way to delete an HTTPOnly cookie? – neiya Nov 02 '20 at 14:04
  • @neiya - Normally an HTTPOnly cookie would be set by the webserver (not sure if JavaScript _can_ set one?) (i.e. in the HTTP response returned by the webserver), and it would need to be cleared by the server too. – MikeBeaton Nov 18 '21 at 12:41