Stack Overflow
Stack Overflow

Questions tagged [httponly]

HttpOnly is a flag in the cookie header to hide data from JavaScript

HttpOnly is a flag in the cookie header, indicating that the browser should hide this cookie from JavaScript and only use it for HTTP and HTTPS requests.

Important Note

HttpOnly just makes exploiting XSS vulnerabilities a little more difficult. It does not provide protection against XSS.

External Links

294 questions
7
votes
2 answers

can't access httponly cookie from react js but can access in postman app! how is it possible?

I send a request to server to login and get cookie with token value with HTTP only tag after this action I can not access cookie value in my react app but I tested it in the postman app and i can see cookie in this app if I can see it in the postman…
Mohsen Mohebbi
  • 77
  • 1
  • 1
  • 7
7
votes
1 answer

How to set httpOnly flag in ngCookies?

I have a JWT token that I'd like to store in a cookie. The cookie needs to have at least HttpOnly flag set, but I would also want to set the Secure flag to true. From the angular docs I know I can store my token in cookies like this: // using…
rublex
  • 1,893
  • 5
  • 27
  • 45
6
votes
1 answer

Accessing document.cookie returns empty string even though cookies are listed in developer tools with httpOnly flag set to false

Sometimes*, when accessing document.cookie in the login page I get an empty string even though: cookies are listed in the Chrome and Firefox developer tools, httpOnly flag of cookie I'm interested in is set to false, path of cookie I'm interested…
davsto
  • 442
  • 5
  • 11
6
votes
1 answer

Session Cookie HTTPOnly flag not set on response from logout (Django)

I have a Django application and am configuring some security settings. One of the settings is the SESSION_COOKIE_HTTPONLY flag. I set this flag to True. On session creation (login) I can see the session HTTPOnly flag set if I inspect cookies. On…
Brian Ambielli
  • 581
  • 6
  • 23
6
votes
1 answer

Why are HTTPOnly Cookies not being set correctly in IE9?

I have setup my ColdFusion application to set HTTPOnly cookies using the code below (from http://www.petefreitag.com/item/764.cfm): THIS.Name = "MyCFApp"; THIS.SessionManagement = true; …
Eric Belair
  • 10,574
  • 13
  • 75
  • 116
6
votes
0 answers

ASP.NET HttpOnly cookie in web.config not working

From everything I've read online, a web.config like this should enable HttpOnly cookies, in ASP.NET 2.0. However this is not working. ... Is…
jmosesman
  • 716
  • 1
  • 11
  • 24
6
votes
3 answers

Forcing HttpOnly cookies with JRun/ColdFusion

We need to ensure that all cookies on a CF7 site are set as HttpOnly. We are using jsessionid to control our sessions, and JRun does not create this as HttpOnly. Whilst it is possible to modify an existing cookie to add this setting, we need to have…
Peter Boughton
  • 110,170
  • 32
  • 120
  • 176
5
votes
1 answer

Setting httponly cookie with blazor

is there a way to set a httponly cookie with blazor server side? Setting a non httponly one with js-interop is not a problem but in case of httponly it is obviously not possible this way. Thanks in advance Holger
Holger Braunschweig
  • 51
  • 2
5
votes
1 answer

Django won't set HttpOnly for csrftoken cookie

In my Django's settings.py I have SESSION_COOKIE_HTTPONLY = True SECURE_CONTENT_TYPE_NOSNIFF = True SECURE_BROWSER_XSS_FILTER = True X_FRAME_OPTIONS = 'DENY' SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True SECURE_SSL_REDIRECT =…
texnic
  • 3,959
  • 4
  • 42
  • 75
5
votes
0 answers

Cannot see Request or Response Cookie headers on external device phonegap app

While developing a phonegap application, I can see the SetCookie header in responses from XHR login requests to an API I am using. As expected, when I inspect subsequent requests, I see the cookie being sent. I can also see that it is an httpOnly…
basicallydan
  • 2,134
  • 3
  • 25
  • 40
5
votes
1 answer

How to make rack session cookies httponly?

I am using Ruby and Sinatra to develop an application. I use enable :sessions in order to use the session variable provided by rack. How can I make all of the session cookies be HTTPOnly? Is it like this by default? I can't find any documentation…
Lev Dubinets
  • 788
  • 10
  • 32
5
votes
7 answers

Drop any session from client side

I'm preparing some diagnostic tool. It operates on the website in the iframe - only by javascript. Now what I need is to get rid of session cookie in the website that I have in my iframe. I just need to be logged out after performing some…
Łukasz W.
  • 9,538
  • 5
  • 38
  • 63
4
votes
2 answers

session cookie httponly false rails 3.1

I'm trying to turn httponly off for use in phonegap. I'm useing rails 3.1 and devise, each of which have reported (but not documented) ways of doing this, none of which work: # application.rb config.session_options = { :httponly => false } # no…
Peter Ehrlich
  • 6,969
  • 4
  • 49
  • 65
4
votes
1 answer

Set http only cookies inside NextJS middleware

I am trying to set a new access token when the current one expires inside my middleware, to do this ... I create a new token Pass it to an API route which places the token inside it's response header. The problem is that this response is received…
Sameer Ahmed
  • 53
  • 1
  • 7
4
votes
1 answer

Can I access HttpOnly cookie using IHTMLDocument2 in ActiveX?

Can I access session cookies marked as HttpOnly via IHTMLDocument2::cookie inside ActiveX running in Internet Explorer 11? Here is the code example that comes from the answer to this question: CComPtr pDoc // get document from event…
IT Hit WebDAV
  • 5,652
  • 12
  • 61
  • 98
1 2
3
19 20