4

I have an application using Spring Boot where I set a HttpOnly cookie. In the browser I can inspect it and see that it's well set as HttpOnly. With this I avoid the client side from using javascript on it.

But, do I have to do anything on the server side when reading the cookie? As far as I understand, I cannot use javascript to read the cookie but I can still create a non HttpOnly cookie with the same name and value as the HttpOnly one just using a browser plugin. On the server side, wouldn't I need to verify the cookie and whether it's HttpOnly?

I've tried doing that by just getting the list of cookies from the request but it seems all of them have the different fields set to a default value. The only fields I can read are the name and the value of the cookie.

Is this the expected behaviour?

Juan Vega
  • 1,030
  • 1
  • 16
  • 32

1 Answers1

1

This is, indeed, the specified behaviour.

The Set-Cookie Header transmits information like HttpOnly to a client. But a call from the client to the server uses the Cookie header, which only includes cookie names and values (but no further information). Therefore, the server cannot derive this information from the Cookie header alone. It is simply not there.

This is specified in RFC 6265 „HTTP State Management Mechanism“ in Section 5.4 „The Cookie Header“:

   4.  Serialize the cookie-list into a cookie-string by processing each
       cookie in the cookie-list in order:

       1.  Output the cookie's name, the %x3D ("=") character, and the
           cookie's value.

       2.  If there is an unprocessed cookie in the cookie-list, output
           the characters %x3B and %x20 ("; ").

Since the information is missing, it is often set to a default value.

Community
  • 1
  • 1
pscheid
  • 450
  • 4
  • 10
  • Thanks for the explanation. I suppose this isn't a problem because headers sent by the client shouldn't be blindly trusted anyway—headers can be spoofed directly, not only via setting cookies using `document.cookie`. – Matt Browne Dec 13 '22 at 15:55