httponly

How do HttpOnly cookies work with AJAX requests?

JavaScript needs access to cookies if AJAX is used on a site with access restrictions based on cookies. Will HttpOnly cookies work on an AJAX site? Edit: Microsoft created a way to prevent XSS attacks by disallowing JavaScript access to cookies if HttpOnly is specified. FireFox later adopted this. So my question is: If you are using AJ...

How do you configure HttpOnly cookies in tomcat / java webapps?

After reading Jeff's blog post on Protecting Your Cookies: HttpOnly. I'd like to implement HttpOnly cookies in my web application. How do you tell tomcat to use http only cookies for sessions? ...

How exactly do you configure httpOnlyCookies in ASP.NET?

Inspired by this CodingHorror article, "Protecting Your Cookies: HttpOnly" How do you set this property? Somewhere in the web config? ...

How do you set up use HttpOnly cookies in PHP

How can I set the cookies in my PHP apps as HttpOnly cookies? ...

How exactly do you configure httpOnly Cookies in ASP Classic?

I'm looking to implement httpOnly in my legacy ASP classic sites. Anyone knows how to do it? ...

How do I set HttpOnly on a session cookie in Rails 2.1?

I notice that Rails 2.2 (currently edge) supports setting HttpOnly on the session cookie. Is there a way of setting it on a Rails 2.1 application without moving to edge/2.2? ...

Sharing ASP.NET session cookies with a Java applet

I have a Java applet that runs inside a forms-authenticated aspx page. In the .NET 1.1 version of my site, the applet has access to the session cookie and is able to retrieve a file from the server, but in the .NET 2.0 version it fails to authenticate. I have seen a couple of forum posts elsewhere that state that 2.0 sets cookies to Htt...

Which browsers do support HttpOnly cookies?

Which browsers do support HttpOnly cookies, and since which version? Please see http://www.codinghorror.com/blog/archives/001167.html for a discussion of HttpOnly cookies and XSS-prevention. ...

Is there a way to flag cookies as HttpOnly in Pylons?

I can't find any documentation on the web about how to do this. I think its probably possible to send some sort of custom HTTP header response, but it seems kind of lame to do that if there is a more canonical way. ...

Forcing HttpOnly cookies with JRun/ColdFusion

We need to ensure that all cookies on a CF7 site are set as HttpOnly. We are using jsessionid to control our sessions, and JRun does not create this as HttpOnly. Whilst it is possible to modify an existing cookie to add this setting, we need to have it set to HttpOnly from the start. Any suggestions? Related Question: Setting Secure...

How can I tell if httponly is set in my application

Without looking over the shoulder of a developer, how can I tell if HTTPonly is set properly from the front end of my web application? ...

Security scan finds httpOnly cookies in ASP.NET application even when disabled

I have tried to enable httpOnly cookies in my WSS 3.0 forms-authentication application using the web.config tag. A Cenzic Hailstorm security scan report claims that cookies are being produced with the flag off, including the .ASPXAUTH cookie, one related to Discovery.asmx, and one related to WSS_AccessibiltyFeature. Here are my questions...

HttpOnly cookies in SharePoint break creation of workflows in browser

This is not a question but a solution that I just discovered. The issue was this: When I tried to create an Approval workflow on a document library through the browser in a a MOSS Enterprise installation, I got and "Unexpected Error" message. Outputting the error to the browser, I got Value cannot be null. Parameter name: g at System....

Could this XSS protection with HttpOnly Cookies work?

I have done some research on HttpOnly cookies and the problem that exist with the possibility to use an XHR request in combination with the TRACE method to get the cookie value echoed back from the server. For a secure webapplication I currently have the following setup: Session cookie is sent at login with secure and httpOnly propert...

Properties of a cookie

How to check the what all properties(Secure,HttpOnly) are set for a cookie using Classic ASP or JavaSript? ...

HttpOnly cookies on google app engine java

Anyone know how I can use httponly cookies for sessions and cookies on the app engine? In the javadoc for the Cookie class, http://java.sun.com/javaee/6/docs/api/javax/servlet/http/Cookie.html#setHttpOnly(boolean) , there is a setHttpOnly method. I get a compiler error when trying to use it when developing for app engine though. The...

How do I set the session cookie's HttpOnly setting to false?

In Ruby on Rails, how do I set the session cookie's httpOnly setting to false? ...

Setting HTTPONLY for Classic Asp Session Cookie

Hello all, Does anyone know exactly how to set HTTPONLY on classic ASP session cookies? This is the final thing that's been flagged in a vulnerability scan and needs fixing ASAP, so any help is appreciated. ~~~A LITTLE MORE INFORMATION ON MY PROBLEM~~~ Can anyone please help me with this? I need to know how to set HTTPONLY on the AS...

Setting httponly in JSESSIONID cookie (Java EE 5)

I'm trying to set the httponly flag on the JSESSIONID cookie. I'm working in Java EE 5, however, and can't use setHttpOnly(). First I tried to create my own JSESSIONID cookie from within the servlet's doPost() by using response.setHeader(). When that didn't work, I tried response.addHeader(). That didn't work either. Then, I learned...

c# Get httponly cookie

Hello, How can i get a httponly cookie in a httpwebresponse ? Habitually i use a CookieContainer to get the cookies in a httpwebresponse, but it doesnt work with httponly cookie. Is there an other way to catch them ? ...