12

If I already set SSL for my application server, do I still need to set HttpOnly for the cookies?

ysp80
  • 131
  • 1
  • 6
  • 1
    HttpOnly is intended to prevent XSS attacks. It has nothing to do with SSL. – Marc B Dec 23 '11 at 03:11
  • @Marc B httponly does **NOT** prevent xss attacks, don't spread that. XSS is still very exploitable, look at the sammy worm. – rook Dec 23 '11 at 17:31

1 Answers1

20

Yes. The two flags have nothing to do with each other (both are security/privacy options, though)

  • "Secure" means that the cookie will only be sent over encrypted connections

  • "HttpOnly" means that the cookie will not be visible to Javascript

You could still have XSS on an HTTPS page, for example (and then an evil script could eat your cookie).

Thilo
  • 257,207
  • 101
  • 511
  • 656
  • As I understand, the purpose of stealing cookie here is for session hijacking. If SSL is enabled, session hijacking is not possible? (Am I correct here?) – ysp80 Dec 23 '11 at 03:24
  • With XSS, you can have malicious Javascript to read the session cookie. You can then send it to another server (for example by creating a hidden image tag with the cookie value in the URL) and hijack the session. – Thilo Dec 23 '11 at 03:26
  • But is it possible to hijack the session when SSL is already enabled? – ysp80 Dec 23 '11 at 03:31
  • Yes, if you are using session cookies only (and not additional other factors like client IP, HTTP authentication or client certificates), then you can hijack the session by getting the cookie, even when SSL is enabled. SSL just makes sure you don't get the cookie by sniffing the network. – Thilo Dec 23 '11 at 03:37