If I already set SSL for my application server, do I still need to set HttpOnly for the cookies?
HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS.
Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
Use the HttpOnly attribute to prevent access to cookie values via JavaScript. Cookies that are used for sensitive information (such as indicating authentication) should have a short lifetime, with the SameSite attribute set to Strict or Lax .
An HttpOnly Cookie is a tag added to a browser cookie that prevents client-side scripts from accessing data. It provides a gate that prevents the specialized cookie from being accessed by anything other than the server.
Yes. The two flags have nothing to do with each other (both are security/privacy options, though)
"Secure" means that the cookie will only be sent over encrypted connections
"HttpOnly" means that the cookie will not be visible to Javascript
You could still have XSS on an HTTPS page, for example (and then an evil script could eat your cookie).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With