Can I use Javascript to see if an HTTP-only cookie exists, I don't want to see the value, just know whether or not it is there.
I need this because I have an API using cookie based authentication with servicestack, with a client side SPA. I need to know, client side, whether or not I am authenticated.
Is this possible?
An HttpOnly cookie cannot be accessed by client-side APIs, such as JavaScript. This restriction eliminates the threat of cookie theft via cross-site scripting (XSS). If the browser allowed you to access it then it would be a defect in the browser.
You can determine whether or not a session cookie is missing the HttpOnly flag by checking the domain against https://securityheaders.com. Alternatively, you can validate with the Google Chrome developer tools when examining the HTTP Response header Set-Cookie.
In order to delete a cookie from JS, therefore, you need to ensure that you are addressing the correct cookie by both name and flag values, and that it doesn't have HTTPOnly flag set, and that you're on a page with a HTTPS certificate. If any of these are not true, you won't be able to edit/delete it.
An HttpOnly Cookie is a tag added to a browser cookie that prevents client-side scripts from accessing data. It provides a gate that prevents the specialized cookie from being accessed by anything other than the server.
No.
HTTP-only cookies are not exposed to the JS in any way. That is the point of the HTTP-only flag.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With