What should be the correct behaviour of browser when sending and receiving httponly cookie via ajax?

About

Asked 27/2, 2013 at 21:0 Answered 27/2, 2013 at 21:18

I currently have an issue with Firefox where it receives a cookie with httponly flag. However when a subsequent response is sent to the server the request does not contain any httponly flag (which may be correct behaviour), however when the response comes back down it returns the cookie however it does not have the httponly flag attached, as I assume it is returning it in the same state it got it.

So is this correct behaviour? should I be manually updating the httponly state of the cookie on the server for each request? or should the httponly state be persisted between calls? I am sure there may be some different behaviour per browser but just assume modern mainstream browsers.

Wyatan answered 27/2, 2013 at 21:0 Comment(3)

Why should the browser send flags along with cookies? Also, since you mentioned AJAX, why should Javascript have knowledge about the cookie whose HttpOnly attribute indicates the intent to hide it from javascript? – Geometer 16/9, 2015 at 16:36

It shouldn't, the whole point of HTTPOnly is that you cannot access it in JS. The query here was if the server had to perpetually set the HTTPOnly flag on subsequent responses, which it does. – Wyatan 22/9, 2015 at 9:25

I noticed the same behaviour from a .Net service (I did not see its source code), as if the service code ignores presence of the cookie in the request and replies with the cookie by the same name and value. In addition to ignoring the cookie in the request, this somehow ignored the service's own web configuration instructing to add "; HttpOnly; Secure" to each cookie. This overwrites the cookie in the browser, according to par. 11 of section 5.3 [Browser] Storage Model, HTTP State Management Mechanism, tools.ietf.org./html/rfc6265#section-5.3. – Geometer 23/9, 2015 at 19:40

A few moments after sending this I found:

Understanding the intended behaviour of HTTPOnly flag

which indicates that this is correct behaviour and the server has to continually append the httponly flag. Seems a bit wacky, but hey as long as I know what the intended behaviour is.

Wyatan answered 27/2, 2013 at 21:18 Comment(1)

The current answer to the linked question implies the opposite. I agree with the author of the original question suspecting a bug in the server which dropped the flags. The flags must always be present in Set-Cookie. In addition, I see no purpose in the server re-sending the same cookie. – Geometer 23/9, 2015 at 19:45

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags