Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to set cookie secure flag using javascript

I have tried to set a cookie using document.cookie = "tagname = test; secure" but this does not set the secure flag. Am I setting it wrong? Can you only set it from a server response? I am also wondering that, because I have had a difficult time finding an example of its use, that it probably is not commonly used?

Thanks a bunch!

like image 377
BobtheMagicMoose Avatar asked May 15 '16 04:05

BobtheMagicMoose


People also ask

Can secure cookie be read by JavaScript?

Secure as in the cookie cannot be read by Javascript running in the browser — ie. document. cookie will not work. Known as the "HttpOnly" flag.

Can you set cookies with JavaScript?

JavaScript can create, read, and delete cookies with the document.

What is secure flag in cookie?

The Secure flag is used to declare that the cookie may only be transmitted using a secure connection (SSL/HTTPS). If this cookie is set, the browser will never send the cookie if the connection is HTTP. This flag prevents cookie theft via man-in-the-middle attacks.


1 Answers

TL:DR

document.cookie = "tagname = test;secure"; 

You have to use HTTPS to set a secure attribute

The normal (or formal, maybe) name is attribute. Since the flag refers to other things.

More Info

Cookie attributes:

Secure - Cookie will be sent in HTTPS transmission only.

HttpOnly- Don't allow scripts to access cookie. You can set both of the Secure and HttpOnly.

Domain- specify the hosts to which the cookie will be sent.

Path - create scopes, cookie will be sent only if the path matches.

Expires - indicates the maximum lifetime of the cookie.

More details and practical usages. Check Testing_for_cookies_attributes_(OTG-SESS-002)

UPDATES The following contents expire in June 2, 2016.

Cookie Flags

Cookie flags are prefixes. At the moment, they are described in the RFC draft as a update to the RFC6265

These flags are used with the 'secure' attribute.

__Secure- 

The dash is a part of the prefix. This flag tells the browser, the cookie should only be included in 'https'.

__Host- 

A cookie with this flag

  1. must not have 'domain' attribute, it will be only sent to the host which set it.

  2. Must have a 'path' attribute, that is set to '/', because it will be sent to the host in every request from the host.

like image 164
wolfrevo Avatar answered Sep 29 '22 13:09

wolfrevo