Stack Overflow
Stack Overflow

Questions tagged [httponly]

HttpOnly is a flag in the cookie header to hide data from JavaScript

HttpOnly is a flag in the cookie header, indicating that the browser should hide this cookie from JavaScript and only use it for HTTP and HTTPS requests.

Important Note

HttpOnly just makes exploiting XSS vulnerabilities a little more difficult. It does not provide protection against XSS.

External Links

294 questions
0
votes
1 answer

How do I access a httponly cookie (set by the client) on the server?

I have a Single Page Application built with React and ASP.NET Core 2.1 WebAPI on the backend. I am switching to storing auth0 tokens from localstorage to httponly cookies and have trouble accessing the auth0 token stored in an httponly cookie(set by…
RAS
  • 33
  • 1
  • 6
0
votes
1 answer

Turn off HttpOnly for Flask Session for only one handler

I'm using Flask defaults so that HttpOnly is set for the session cookie. I have one handler for which I'd like to allow JavaScript to access the session cookie. Is there a way to change the Flask session cookie for a single handler so that HttpOnly…
new name
  • 15,861
  • 19
  • 68
  • 114
0
votes
1 answer

How use JWT payload to store session user data?

I am building a web application with an API BACK-END side written in Symfony and a FRONT-END side written with Angular 7. My problem is to retrieve user data from the back-end and to store it in session on front-end side. I use JWT for…
Moran_bzh
  • 49
  • 1
  • 7
0
votes
1 answer

After securing ASPXAUTH and ASP.NET_SessionId cookies, is this the correct behavior?

We have been notified through a penetration test that our website is not securing the ASPXAUTH and ASP.NET_SessionId cookies. I have made several changes to secure the cookies. 1) Added the requireSSL="true" attribute to the System.Web…
Nathan Hood
  • 45
  • 1
  • 7
0
votes
1 answer

JSessionId (httponly cookie) not sent to web service from Javascript

We have a web applet that loads under the URL https://secure-ausomxeja.crmondemand.com/OnDemand/... from where we are making a web service call within the same domain (https://secure-ausomxeja.crmondemand.com/Services/Integration) using JQuery. We…
ravikiran
  • 3
  • 1
  • 2
0
votes
1 answer

Scriptonly cookies?

So, basically what I want is the exact opposite of httponly cookies. I want to set a cookie in the browser via JavaScript and be able to retrieve it via JavaScript only. Meaning, that the cookie is not sent to the server. The use case is that the…
monken
  • 116
  • 1
  • 4
0
votes
0 answers

Destroy http-only cookie with cookie-parser

I am using cookie-parser to create a http-only cookie that holds the token for a logged-in user. Then I need to either destroy that cookie or make it expire, when the user hits "logout". How can I destroy (or at least edit) the cookie? Will the…
slevin
  • 4,166
  • 20
  • 69
  • 129
0
votes
1 answer

Koa-generic-session add token

I get JWT token from other api and then want to send it ti my node.js backend and write it in httpOnly cookie. How to add some data(JWT token) to HttpOnly cookie with koa-generic-session?
Yury Shapkarin
  • 489
  • 1
  • 5
  • 13
0
votes
1 answer

How do I update the cookie JSESSIONID with HttpOnly by working directly on Http Headers?

Here is the big picture I want to append "HttpOnly" to the JSESSIONID Cookie, but I want to do this by hand, meaning: //create a new cookie StringBuilder updatedCookie = new StringBuilder("JSESSIONID").append("=") …
Belun
  • 4,151
  • 7
  • 34
  • 51
0
votes
0 answers

UC browser not sending httponly cookie for websocket calls

I am using websockets to communicate to server to avoid ajax polling as its taking upto 3-4 minutes to serve the request. At server I need session information to serve the request but the problem I faced on UC browser(Android, iphone) is that it is…
Kshtiiz Gupta
  • 11
  • 4
0
votes
1 answer

Missing HttpOnly Attribute for Session Identifier with HTTP protocol

Earlier I was getting HttpOnly for both HTTP/HTTPS protocol, but missing secure attribute. In order to add "Secure" attribute, I added secure="true" in server.xml ’s Connector port syntax as below –
Jatin
  • 197
  • 2
  • 5
  • 17
0
votes
1 answer

Jboss 5.1 HttpOnly cookies , unable to logIn to the system

I added following line to my context.xml as discussed in This question and now all my cookies were set to secure and httponly. but now when i logged in to the system it throw me out and said my session got expired. system is running on 'Http' and is…
Sam
  • 2,055
  • 6
  • 31
  • 48
0
votes
0 answers

Accessing Cookies across Sub-domain

We have cookies added by the current website say www.example.com. Cookie domain of those cookies is one of the following when viewed in browser, www.example.com (are also marked as HostOnly) .example.com .www.example.com Now, we are creating a…
deejo
  • 431
  • 2
  • 7
  • 13
0
votes
1 answer

Access httponly cookie from server side (ASP.NET 4.5)

I am trying to retrieve an httponly cookie over https from code behind and then set to session variable to retrieve from web form page. The code is on the same domain. HttpCookie cookie = Request.Cookies["CookieName"]; if (cookie !=…
Sconny
  • 25
  • 1
  • 10
0
votes
1 answer

Setting HttpOnly in JBoss 7.1.1 throws error

I migrated my web.xml to 3.0xsd and added the following code to set cookies to HttpOnly true but I get an error while deploying the project…
Amber
  • 914
  • 6
  • 20
  • 51
1 2 3
19 20