Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to set cookie secure flag using javascript

Tags:

javascript

security

cookies

get

I have tried to set a cookie using document.cookie = "tagname = test; secure" but this does not set the secure flag. Am I setting it wrong? Can you only set it from a server response? I am also wondering that, because I have had a difficult time finding an example of its use, that it probably is not commonly used?

Thanks a bunch!

like image 377
BobtheMagicMoose Avatar asked May 15 '16 04:05

BobtheMagicMoose

People also ask

Can secure cookie be read by JavaScript?

Secure as in the cookie cannot be read by Javascript running in the browser — ie. document. cookie will not work. Known as the "HttpOnly" flag.

Can you set cookies with JavaScript?

JavaScript can create, read, and delete cookies with the document.

What is secure flag in cookie?

The Secure flag is used to declare that the cookie may only be transmitted using a secure connection (SSL/HTTPS). If this cookie is set, the browser will never send the cookie if the connection is HTTP. This flag prevents cookie theft via man-in-the-middle attacks.

1 Answers

TL:DR

document.cookie = "tagname = test;secure";

You have to use HTTPS to set a secure attribute

The normal (or formal, maybe) name is attribute. Since the flag refers to other things.

More Info

Cookie attributes:

Secure - Cookie will be sent in HTTPS transmission only.

HttpOnly- Don't allow scripts to access cookie. You can set both of the Secure and HttpOnly.

Domain- specify the hosts to which the cookie will be sent.

Path - create scopes, cookie will be sent only if the path matches.

Expires - indicates the maximum lifetime of the cookie.

More details and practical usages. Check Testing_for_cookies_attributes_(OTG-SESS-002)

UPDATES The following contents expire in June 2, 2016.

Cookie Flags

Cookie flags are prefixes. At the moment, they are described in the RFC draft as a update to the RFC6265

These flags are used with the 'secure' attribute.

__Secure-

The dash is a part of the prefix. This flag tells the browser, the cookie should only be included in 'https'.

__Host-

A cookie with this flag

  1. must not have 'domain' attribute, it will be only sent to the host which set it.

  2. Must have a 'path' attribute, that is set to '/', because it will be sent to the host in every request from the host.

like image 164
wolfrevo Avatar answered Sep 29 '22 13:09

wolfrevo
Sign in to Comment

Related questions

AngularJS - How to use ng-if without HTML element
Is there a way to tell if an ES6 promise is fulfilled/rejected/resolved? [duplicate]
Define local function in JavaScript: use var or not?
Running JavaScript unit tests headlessly in a Continuous Integration build
Uncaught InvalidStateError: Failed to execute 'send' on 'WebSocket': Still in CONNECTING state
How to toggle class using pure javascript in html
Using querySelectorAll(). Is the result returned by the method ordered?
Is it possible to create desktop applications with node.js? [duplicate]
Running the same mocha test multiple times with different data
How can I use knockout's $parent/$root pseudovariables from inside a .computed() observable?
Including JavaScript files from GitHub into HTML pages
Fire jQuery event on div change
JavaScript Objects as Hashes? Is the complexity greater than O(1)?
What happens if we set the value of undefined?
Set JavaScript variable = null, or leave undefined?
How to use Redux to refresh JWT token?
Pure JavaScript code for HTTP Basic Authentication?
Getting an option text/value with JavaScript
How to read text file in JavaScript

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!