Stack Overflow
Stack Overflow

Questions tagged [httponly]

HttpOnly is a flag in the cookie header to hide data from JavaScript

HttpOnly is a flag in the cookie header, indicating that the browser should hide this cookie from JavaScript and only use it for HTTP and HTTPS requests.

Important Note

HttpOnly just makes exploiting XSS vulnerabilities a little more difficult. It does not provide protection against XSS.

External Links

294 questions
4
votes
2 answers

Add HttpOnly flag to cookies on the fly with Apache?

So I have a java webapp that uses tomcat with an apache proxy layer. I'm looking to make all cookies set from the app have the httpOnly flag. The problem with this is that tomcat is responsible for setting the flag from the application side and its…
Zack
  • 1,181
  • 2
  • 11
  • 26
4
votes
0 answers

HttpOnly cookie and XSRF-TOKEN in angular js

I have an angular js web application with play framework as server side. I am using Google plus sign-in button to authenticate users. I need to authenticate all my ajax calls in the server side. After going through documentation that's available on…
DBS
  • 794
  • 2
  • 9
  • 21
4
votes
1 answer

Will http_only cookies be sent with AJAX?

I found this link But at the bottom it says This information is likely no longer up to date. So my question is, will http_only cookies be sent with AJAX? Can the response via AJAX set http_only cookies? Edit 1: Let's say an user logged in to the…
Ezio_
  • 593
  • 3
  • 9
  • 23
4
votes
2 answers

HttpOnly cookies on google app engine java

Anyone know how I can use httponly cookies for sessions and cookies on the app engine? In the javadoc for the Cookie class, http://java.sun.com/javaee/6/docs/api/javax/servlet/http/Cookie.html#setHttpOnly(boolean) , there is a setHttpOnly method. I…
Kyle
  • 21,377
  • 37
  • 113
  • 200
4
votes
2 answers

When is it appropriate to have non-HttpOnly cookies on your domain?

I have read the OWASP information and also a range of articles including Jeff Atwood's Protecting Your Cookies article and I still feel I need to understand HttpOnly cookies better. This came about because I needed to add some Google Adword tracking…
Digbyswift
  • 10,310
  • 4
  • 38
  • 66
4
votes
1 answer

how to set HttpOnly and Secure flag set in apache2.4.6 and tomcat

I have an apache2.4.6 and dotcms2.3.2 in suselinux. I want to set httponly and secure falg in dotcms and tomcat . I set these configurations in apache and tomcat: in context.xml
Kobra Ghahremani
  • 305
  • 2
  • 3
  • 7
4
votes
2 answers

document.cookie empty in phonegap application

I have a phonegap application that communicates with a server using ajax and cookies for session managment. I need to access the cookies in the client side. I've tried: document.cookie; However, this results in an empty string. I know that the…
Niv
  • 2,294
  • 5
  • 29
  • 41
4
votes
2 answers

How can I get HttpOnly cookies in Windows Phone 8?

I am working in a Windows Phone 8 PCL project. I am using a 3rd party REST API and I need to use a few HttpOnly cookies originated by the API. It seems like getting/accessing the HttpOnly cookies from HttpClientHandler's CookieContainer is not…
user2334154
  • 429
  • 1
  • 6
  • 12
3
votes
1 answer

jQuery redirects and HttpOnly cookies

We're using JQuery AJAX to login. The login service issues a HTTP 302, with the location being the GET for the user logged in, or (in the case of a log in failure), a REST endpoint that always returns a not authorized HTTP status. At the same time…
Jeff Wang
  • 1,837
  • 1
  • 15
  • 29
3
votes
3 answers

Missing HttpOnly Attribute in Session Cookie

in sign.jsp, I have written the following so that, if a user is already logged in then immediately he would be forwarded to his home page <% try{ HttpSession session1 = request.getSession(false); if(session1.getAttribute("authenticated")!=null && …
Tom
  • 761
  • 7
  • 22
  • 41
3
votes
2 answers

HTTPOnly sets cookie expiration to session

I am writing a "Remember My Username" Cookie that expires in a custom duration of time e.g. one month. I noticed that when I add HttpOnly = true, the expiration changes to session. Why is this? I can't seem to find any documentation on why this…
evodev
  • 183
  • 1
  • 2
  • 11
3
votes
1 answer

Render.com: HttpOnly Cookie not being set in browser storage when doing res.cookie between Web Services

I have a NestJs app that uses HttpOnly cookies for authentication. In development everything works perfectly. My NextJs client (http://localhost:4200) uses Graphql to send a login request to my NestJs server (http://localhost:3333), which sets…
Will Despard
  • 447
  • 1
  • 4
  • 17
3
votes
0 answers

Cross Origin httponly cookie with nodejs and fetch

I have a question regarding a cross origin httponly cookie, I have created a very simple express example const express = require("express"); const cookieParser = require("cookie-parser"); const app = express(); const port =…
Mehdi Amenein
  • 937
  • 9
  • 23
3
votes
1 answer

Persisting user state in sveltekit

I'm trying to hook up a Strapi backend to a SvelteKit frontend, and stuck on how to persist user login state so that everything doesn't just reset on refresh, or when navigating to a new page. I've tried: Storing the jwt and user object issued by…
wingaught
  • 31
  • 1
  • 4
3
votes
0 answers

Cross-Domain HttpOnly Cookie

I have a website: www.example.com This website is a Single page application (SPA) that call APIs in this subdomain: api.example.com Today I am using Authorization header (Bearer token) in the API, but I am trying to replace it with Cookies…
Daniel Barral
  • 3,896
  • 2
  • 35
  • 47
1 2 3
19 20