Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is HttpOnly necessary when SSL is already set?

If I already set SSL for my application server, do I still need to set HttpOnly for the cookies?

like image 734
ysp80 Avatar asked Dec 23 '11 03:12

ysp80


People also ask

When should I use HttpOnly?

HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS.

When should HttpOnly cookies be set?

Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).

Should cookie be HttpOnly?

Use the HttpOnly attribute to prevent access to cookie values via JavaScript. Cookies that are used for sensitive information (such as indicating authentication) should have a short lifetime, with the SameSite attribute set to Strict or Lax .

What is the purpose of HttpOnly?

An HttpOnly Cookie is a tag added to a browser cookie that prevents client-side scripts from accessing data. It provides a gate that prevents the specialized cookie from being accessed by anything other than the server.


1 Answers

Yes. The two flags have nothing to do with each other (both are security/privacy options, though)

  • "Secure" means that the cookie will only be sent over encrypted connections

  • "HttpOnly" means that the cookie will not be visible to Javascript

You could still have XSS on an HTTPS page, for example (and then an evil script could eat your cookie).

like image 87
Thilo Avatar answered Oct 23 '22 14:10

Thilo