I thought that httpOnly cookies were only available to read in a http request. However, when I open up Firefox dev tools, I can see the cookies' value. Is this normal?
I can view httpOnly cookies in browser
Asked Answered
Yes, that’s normal.you can access the cookies using the devtool.
Yes, that's normal. What HttpOnly does is it prevents cookies from being accessible to JavaScript, which makes impossible to tamper with programatically (on the client). You can still access it manually through the browser's devtools. (If you weren't, it'd be quite difficult to debug issues with them, after all.)
Thank you for the reply. If my users can access httpOnly cookies, does that mean I should not store my JSON web token there as they would be able to get the secret key? –
Plantar
It's OK to store it there, but either don't rely on it for info alone for verification that should be done on the server (such as whether the user has admin access), or encrypt it such that only the server can decode it (and so that all the client can see is nonsense characters that they have no way to modify without invalidating the whole thing). –
Stanhope
@CertainPerformance, indeed it is quite difficult to debug issues with long cookies, because firefox truncates them (like "eyabcde..xyz", firefox inserts these two dots). Have you any ideas how to inspect long httpOnly cookies (from localhost) ? –
Northwest
Yes, that’s normal.you can access the cookies using the devtool.
© 2022 - 2024 — McMap. All rights reserved.