Is HttpOnly necessary when SSL is already set?

About

Asked 23/12, 2011 at 3:5 Answered 23/12, 2011 at 3:17

If I already set SSL for my application server, do I still need to set HttpOnly for the cookies?

Humanist answered 23/12, 2011 at 3:5 Comment(2)

HttpOnly is intended to prevent XSS attacks. It has nothing to do with SSL. – Ceto 23/12, 2011 at 3:11

@Marc B httponly does NOT prevent xss attacks, don't spread that. XSS is still very exploitable, look at the sammy worm. – Typo 23/12, 2011 at 17:31

Yes. The two flags have nothing to do with each other (both are security/privacy options, though)

"Secure" means that the cookie will only be sent over encrypted connections
"HttpOnly" means that the cookie will not be visible to Javascript

You could still have XSS on an HTTPS page, for example (and then an evil script could eat your cookie).

Aphis answered 23/12, 2011 at 3:17 Comment(4)

As I understand, the purpose of stealing cookie here is for session hijacking. If SSL is enabled, session hijacking is not possible? (Am I correct here?) – Humanist 23/12, 2011 at 3:24

With XSS, you can have malicious Javascript to read the session cookie. You can then send it to another server (for example by creating a hidden image tag with the cookie value in the URL) and hijack the session. – Aphis 23/12, 2011 at 3:26

But is it possible to hijack the session when SSL is already enabled? – Humanist 23/12, 2011 at 3:31

Yes, if you are using session cookies only (and not additional other factors like client IP, HTTP authentication or client certificates), then you can hijack the session by getting the cookie, even when SSL is enabled. SSL just makes sure you don't get the cookie by sniffing the network. – Aphis 23/12, 2011 at 3:37

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags