JavaScript needs access to cookies if AJAX is used on a site with access restrictions based on cookies. Will HttpOnly cookies work on an AJAX site? Edit: Microsoft created a way to prevent XSS attacks by disallowing JavaScript access to cookies if HttpOnly is specified. FireFox later adopted this. So my question is: If you are using AJ...
After reading Jeff's blog post on Protecting Your Cookies: HttpOnly. I'd like to implement HttpOnly cookies in my web application. How do you tell tomcat to use http only cookies for sessions? ...
Inspired by this CodingHorror article, "Protecting Your Cookies: HttpOnly" How do you set this property? Somewhere in the web config? ...
How can I set the cookies in my PHP apps as HttpOnly cookies? ...
I'm looking to implement httpOnly in my legacy ASP classic sites. Anyone knows how to do it? ...
I notice that Rails 2.2 (currently edge) supports setting HttpOnly on the session cookie. Is there a way of setting it on a Rails 2.1 application without moving to edge/2.2? ...
I have a Java applet that runs inside a forms-authenticated aspx page. In the .NET 1.1 version of my site, the applet has access to the session cookie and is able to retrieve a file from the server, but in the .NET 2.0 version it fails to authenticate. I have seen a couple of forum posts elsewhere that state that 2.0 sets cookies to Htt...
Which browsers do support HttpOnly cookies, and since which version? Please see http://www.codinghorror.com/blog/archives/001167.html for a discussion of HttpOnly cookies and XSS-prevention. ...
I can't find any documentation on the web about how to do this. I think its probably possible to send some sort of custom HTTP header response, but it seems kind of lame to do that if there is a more canonical way. ...
We need to ensure that all cookies on a CF7 site are set as HttpOnly. We are using jsessionid to control our sessions, and JRun does not create this as HttpOnly. Whilst it is possible to modify an existing cookie to add this setting, we need to have it set to HttpOnly from the start. Any suggestions? Related Question: Setting Secure...
Without looking over the shoulder of a developer, how can I tell if HTTPonly is set properly from the front end of my web application? ...
I have tried to enable httpOnly cookies in my WSS 3.0 forms-authentication application using the web.config tag. A Cenzic Hailstorm security scan report claims that cookies are being produced with the flag off, including the .ASPXAUTH cookie, one related to Discovery.asmx, and one related to WSS_AccessibiltyFeature. Here are my questions...
This is not a question but a solution that I just discovered. The issue was this: When I tried to create an Approval workflow on a document library through the browser in a a MOSS Enterprise installation, I got and "Unexpected Error" message. Outputting the error to the browser, I got Value cannot be null. Parameter name: g at System....
I have done some research on HttpOnly cookies and the problem that exist with the possibility to use an XHR request in combination with the TRACE method to get the cookie value echoed back from the server. For a secure webapplication I currently have the following setup: Session cookie is sent at login with secure and httpOnly propert...
How to check the what all properties(Secure,HttpOnly) are set for a cookie using Classic ASP or JavaSript? ...
Anyone know how I can use httponly cookies for sessions and cookies on the app engine? In the javadoc for the Cookie class, http://java.sun.com/javaee/6/docs/api/javax/servlet/http/Cookie.html#setHttpOnly(boolean) , there is a setHttpOnly method. I get a compiler error when trying to use it when developing for app engine though. The...
In Ruby on Rails, how do I set the session cookie's httpOnly setting to false? ...
Hello all, Does anyone know exactly how to set HTTPONLY on classic ASP session cookies? This is the final thing that's been flagged in a vulnerability scan and needs fixing ASAP, so any help is appreciated. ~~~A LITTLE MORE INFORMATION ON MY PROBLEM~~~ Can anyone please help me with this? I need to know how to set HTTPONLY on the AS...
I'm trying to set the httponly flag on the JSESSIONID cookie. I'm working in Java EE 5, however, and can't use setHttpOnly(). First I tried to create my own JSESSIONID cookie from within the servlet's doPost() by using response.setHeader(). When that didn't work, I tried response.addHeader(). That didn't work either. Then, I learned...
Hello, How can i get a httponly cookie in a httpwebresponse ? Habitually i use a CookieContainer to get the cookies in a httpwebresponse, but it doesnt work with httponly cookie. Is there an other way to catch them ? ...