Questions tagged [httponly]

HttpOnly is a flag in the cookie header to hide data from JavaScript

HttpOnly is a flag in the cookie header, indicating that the browser should hide this cookie from JavaScript and only use it for HTTP and HTTPS requests.

Important Note

HttpOnly just makes exploiting XSS vulnerabilities a little more difficult. It does not provide protection against XSS.

External Links

294 questions

votes

1 answer

how do you exploit "Apache httpOnly cookie disclosure"?

Vulnerability description Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via…

asked Feb 21 '15 at 09:12

Elkhazrajy

votes

1 answer

set http only and secure flag for cookies in lighttpd

We are using lighttpd web server in our code base. It is that we need to add SECURE and HTTP ONLY flags for the cookie. I have gone through many examples but all are related to PHP and some other kanguage. We don't use PHP in our code. Is there…

linux security cookies lighttpd httponly

asked Dec 10 '14 at 11:02

Raghu Srikanth Reddy

2,703
33
29
42

votes

2 answers

phpMyAdmin error: Cannot start session without errors if httponly/secure cookies are enabled

I just updates phpmyadmin on my LAMP server on latest Debian wheezy to the newest version and now I am getting the following error when I try to log in using the cookie auth method: phpMyAdmin - Error Cannot start session without errors, please…

php phpmyadmin apache2 debian httponly

asked Nov 12 '14 at 10:56

bz-mof

votes

1 answer

how can I set the response header for IBM HTTP Server

I want to set response header at my application web server end to make my cookies "httponly" and "secure". Can any on guide me how to acheive this. Will there be any impacts on application running on HTTPS, if we make these changes.

java http cookies httponly

asked Oct 16 '14 at 12:27

Onki

1,879
6
38
58

votes

1 answer

Properties of a cookie

How to check the what all properties(Secure,HttpOnly) are set for a cookie using Classic ASP or JavaSript?

http cookies https httponly

asked Apr 09 '10 at 07:09

Morais

votes

1 answer

php.ini set session cookie secure

I have read some security post on session. Although I configure most of it in php.ini in my shared host, some I can't. 1) I cannot find session.cookie_secure and session.cookie_httponly in my php.ini, since I'm still new to PHP I don't want to just…

php session-cookies httponly

asked Jun 17 '14 at 22:18

Andrew

2,810
4
18
32

votes

1 answer

Changes in Java 6 update 71 regarding httpOnly = true

We have observed the httpOnly attribute has some changes in java 6 Update 71, due to which my JSessionIDSSO cookie has the attribute httpOnly as true. just need to check , has anyone faced the same issue ? Now my JNLP application which uses…

java javascript httponly cookie-httponly

asked Jun 02 '14 at 11:47

gusainhimanshu

votes

0 answers

Custom 404 not setting HTTPONLY on cookies using Classic ASP and IIS 7

I am having an issue with getting IIS7 to make all of my session cookies HTTPONLY when using a custom 404 page. This is my webconfig:

iis-7 asp-classic http-status-code-404 httponly

asked Feb 12 '14 at 20:55

rjprince11

votes

1 answer

Does HTTPOnly flag apply to persistent cookies

I understand HTTPOnly flag applies to session cookies. Does it apply to persistent cookies? Is anyone able to provide a reference? I have checked http://tools.ietf.org/rfc/rfc6265.txt on HTTPOnly flag but it is not explicitly stated.

persistent httponly

asked Jan 25 '14 at 02:23

user3234132

votes

1 answer

Why can't both HTTP Only and Secure flags be set in the cookies using Apache WebLogic?

My architect tells me that when using Apache to Front-end WebLogic, WebLogic can't set the Secure flag in the cookies. Why is that? We are using Apache to create FIPS 140-2 compliant HTTPS connections. Update: The reason given is that "The cookie…

apache weblogic httponly

asked Nov 19 '13 at 14:29

Mike Jr

1,789
3
14
21

votes

1 answer

HttpOnly and Secure flag testing

I have set the following under web.config in my app

asp.net session-cookies httponly

asked May 13 '13 at 20:14

overloading

1,210
4
25
46

votes

1 answer

are there implicit cookies created while web navigation? / httpOnly flag

In my website I am not using any kind of cookies, everything goes through server-side session handling. (no setcookie instruction at all) But still, using Acunetix website vulnerability checker, I get a report about "Session cookie without httpOnly…

php security session cookies httponly

asked Mar 16 '13 at 14:40

Sebas

21,192
9
55
109

votes

1 answer

Need Cookies value on client side with Httponly attribute true

We are setting the parameter httpOnly true in web.xml file to prevent the cookie creation at client side. This is causing the reading the cookies values .we are using the following way to read the JSESSIONID cookie in…

javascript gwt session-cookies httponly

asked Nov 30 '12 at 13:15

bNd

7,512
7
39
72

votes

1 answer

httpservletrequest is null when http-only is set to true

I am using JBoss 7 and I have configure my session config in web.xml as follows:

240

true

However, in my servlet, i am getting a nullpointerexception when…

session jboss7.x httponly

asked Nov 06 '12 at 08:02

user1066568

votes

1 answer

How can I tell if httponly is set in my application

Without looking over the shoulder of a developer, how can I tell if HTTPonly is set properly from the front end of my web application?

.net httponly

asked Aug 24 '09 at 19:23

eerik aljas

Prev 1 2 3

…

20 Next