I have a slight confusion regarding HTTPOnly attribute in cookies. I am aware that its main use is for protection against XSS attacks. Let us assume there is web application which has set httponly enabled for the cookie. I used a interception proxy like Fiddler for this. But in all subsequent transactions the cookie is not accompanied with the httponly flag. is this a feature like set it once and the whole session is covered under httponly flag...or is this a implementation flaw. But again when monitored through a cookie manager addon,the properties show that httponly is enabled. My question is if its enabled why the cookie manager shows it enabled but not an interception proxy,is this the normal expected behaviour or a wrong implementation. Please help me understand.
Understanding the intended behaviour of HTTPOnly flag
1.5k Views Asked by Mechanic At
1
There are 1 best solutions below
Related Questions in XSS
- How to make a bookmarklet that executes functions in multiple pages without clicking again?
- XSS attack in wordpress?
- Spring MVC : Preventing Exceptions when binding model attribute
- XSS prevention and .innerHTML
- use of string in place of URL (in anti XSS)
- Does HTML Encoding have any cons?
- XSS in angularjs app and web api 2
- How to show the content from RichTextArea.getHMTL() in a div properly?
- jquery xss prevention when using html()
- Is it safe to rely on Content-Type: text/plain to mitigate malicious javascript execution in response?
- what is this usage of alert in javascript?
- Handling of character references in an embedded SVG's script tags
- XSS attack with querystring tampering generates exception
- Javascript form validation highlight invalid character
- ESAPI.validator().getValidInput returning "null" value
Related Questions in SETCOOKIE
- AWS ELB Load Balancer: is it possible to set multiple session cookies?
- How should I handle a 'Remember me' option during PHP login?
- PHP Cookie to Track/Limit Website Joins (Preventing Automated Account Creation)
- How to set cookies in Goutte?
- Javascript Cookie function only working on index file
- setcookie() is not setting any cookies
- WordPress - Can't get directly cookies
- Set Cookie with Swift 3
- Change value cookie by clicking button
- set the expiration date for a specific domain
- how to create a cookie in php to exist in a different domain
- PHP unset cookie and setcookie not responding
- Appending value to set-cookie header in beresp. in Varnish 2.1
- Using functions like header() and setCookie() after output in a website
- PHP parse json array with cookies and set all cookies from it
Related Questions in HTTPCOOKIE
- JSessionID changes on resource request after login which invalidates the session
- Net Scaler cookie Insert usage
- Shopping cart with only cookies
- Accessing cross-domain intranet cookies
- Object moved to here in response of Jmeter request
- set up a cookie via varnish
- Exception calling Add. Part of cookie is invalid
- I only seem to be able to set one Cookie - HttpCookie, asp.net
- Cannot send 'PHPSESSID' via file_get_contents && stream_context_create
- Different HttpCookie Behavior on each server
- How to extract the text present in cookie pop up box using python?
- Set Azure AppFabric Access Control Service cookie expiration time
- Cookie size restriction in IE
- ASP.NET MVC NuGet Glimpse Remove - Glimpse References Still Listed in HTTP_COOKIE
- A cookie without a domain?
Related Questions in HTTPONLY
- Jboss 5.1 HttpOnly cookies , unable to logIn to the system
- Missing HttpOnly Attribute for Session Identifier with HTTP protocol
- Add httpOnly flag to ss-id/ss-pid servicestack cookies
- phpMyAdmin error: Cannot start session without errors if httponly/secure cookies are enabled
- Session Identifier Not Updated in Asp.NET web application
- Add HttpOnly flag to cookies on the fly with Apache?
- How do I set the HttpOnly flag of a cookie with javascript?
- how to send fetch request with ssr nuxt and httpOnly auth
- java.net.ProtocolException: Bad Set-Cookie header
- how to set HttpOnly and Secure flag set in apache2.4.6 and tomcat
- How to get HttpOnly cookie
- set http only and secure flag for cookies in lighttpd
- Will http_only cookies be sent with AJAX?
- Android webview delete single HttpOnly Cookie only
- Is is possible to send cookie from http://localhost
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
HttpOnly is sent by the server in the Set-Cookie header to instruct the browser not to make the cookie available to javascript. The browser will still send it over http connections. The Set-Cookie header can contain all sorts of instructions for cookies, like when they expire, what domain they are for, whic path, whether they should only be sent over https(Secure flag) and HttpOnly. These are all instructions from the server to the browser, so there is no point in the browser sending them back to the server on each request.