I have a Django application and am configuring some security settings. One of the settings is the SESSION_COOKIE_HTTPONLY flag. I set this flag to True. On session creation (login) I can see the ...

I have a JWT token that I'd like to store in a cookie. The cookie needs to have at least HttpOnly flag set, but I would also want to set the Secure flag to true. From the angular docs I know I can...

I found numerous examples of adding the HttpOnly to my cookies but it does not work for me and I am not sure why. All the examples I found were the same and I copied this one from one of the posts ...

I used Servlet 3.0 and I want secure my cookies with HttpOnly flag. my web.xml is <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" x...

I have setup my ColdFusion application to set HTTPOnly cookies using the code below (from http://www.petefreitag.com/item/764.cfm): <cfcomponent output="false"> <cfscript> THIS.Name ...

I can see that HttpOnly cookies are good for security, however they make logging out without server interaction impossible, right?1 So when the network fails, you can't log out and leave. I can ima...

I'm trying to set the httponly flag on the JSESSIONID cookie. I'm working in Java EE 5, however, and can't use setHttpOnly(). First I tried to create my own JSESSIONID cookie from within the servle...

I want to make my session cookie HttpOnly. Based on this article, I added this to my application.ini: resources.session.cookie_httponly = true Unfortunately, when I look at the session cookie in...

I am setting cookies as part of my mvc application: var cookie = new HttpCookie(CookieName, encryptedData) { Path = FormsAuthentication.FormsCookiePath, Domain = CookieDomain, Expires = authen...

I currently have an issue with Firefox where it receives a cookie with httponly flag. However when a subsequent response is sent to the server the request does not contain any httponly flag (which ...

From everything I've read online, a web.config like this should enable HttpOnly cookies, in ASP.NET 2.0. However this is not working. <configuration> <system.web> <httpCookies http...

I am using Ruby and Sinatra to develop an application. I use enable :sessions in order to use the session variable provided by rack. How can I make all of the session cookies be HTTPOnly? Is it ...

How can i get a httponly cookie in a httpwebresponse ? Habitually i use a CookieContainer to get the cookies in a httpwebresponse, but it doesnt work with httponly cookie. Is there an other way to...

I'm trying to create a cookie, with the HttpOnly flag enabled. While there seems to be a plethora of resources about how to do it in Java and .Net, I need to do it in javascript. Here is my (curr...

I have a slight confusion regarding HTTPOnly attribute in cookies. I am aware that its main use is for protection against XSS attacks. Let us assume there is web application which has set httponly ...

I'm trying to turn httponly off for use in phonegap. I'm useing rails 3.1 and devise, each of which have reported (but not documented) ways of doing this, none of which work: # application.rb conf...

If I already set SSL for my application server, do I still need to set HttpOnly for the cookies?

We need to ensure that all cookies on a CF7 site are set as HttpOnly. We are using jsessionid to control our sessions, and JRun does not create this as HttpOnly. Whilst it is possible to modify a...

If my application places HttpOnly cookies on a client and then needs to remove them how can you remove them completely?

Is there a way to check if the cookie is httponly in php?

JavaScript needs access to cookies if AJAX is used on a site with access restrictions based on cookies. Will HttpOnly cookies work on an AJAX site? Edit: Microsoft created a way to prevent XSS at...

Inspired by this CodingHorror article, "Protecting Your Cookies: HttpOnly" How do you set this property? Somewhere in the web config?

Which browsers do support HttpOnly cookies, and since which version? Please see http://www.codinghorror.com/blog/archives/001167.html for a discussion of HttpOnly cookies and XSS-prevention.