Can you briefly explain the difference between HTTPOnly cookies and normal coookies?
and Is normal cookie same as signed cookie?
I know what HTTPOnly cookie is. but, I do not how I can explain what normal cookie is.
Can you briefly explain the difference between HTTPOnly cookies and normal coookies?
Asked Answered
As I know that HTTPOnly Cookies can not be accessed by JS(JavaScript) code, but only send by browser. but, I do not know how I can explain Normal Cookies. –
Diacritical
A normal cookie is accessible from JavaScript and it is also included in every request to the associated domain. A cookie with the HttpOnly attribute is blocked from JavaScript and only is included in requests to the domain.
Then optionally, you add the Secure attribute as well to force the cookie to only be sent over HTTPS and not HTTP.
You can also add the
SameSite attribute to prevent the cookie from being sent with cross site requests. owasp.org/www-community/SameSite –
Shampoo "it is also included in every request to the associated domain." and "only is included in requests to the domain." They both mean the same thing? If Yes, why even add them? –
Cunha
HttpOnly blocks the cookie from being accessed by JavaScript, but besides from that, it behaves as usual. Adding Secure, will block it from being included in HTTP requests, only HTTPS . –
Corset
you can set a cookie in 2 ways:
- by javascript with
document.cookieproperty - by setting the
Set-Cookieheader from the server
when you specify HTTPOnly attribute in a cookie that means you will not be able access/modify that cookie with javascript (i.e. with document.cookie property), that cookie can be access/modified by the server only
and Is normal cookie same as signed cookie?
no, signed cookie is a cookie whose value has a signature attached to it. it's used in (backend) server while creating a session cookie (for user), where you sign a cookie with a secret key.
© 2022 - 2024 — McMap. All rights reserved.