httponly

I'm trying to create a cookie, with the HttpOnly flag enabled. While there seems to be a plethora of resources about how to do it in Java and .Net, I need to do it in javascript. Here is my (currently failing) function createCookie = function(name,value,days) { if (days) { var date = new Date(); date.setTime(date.getTime()+(days*24*60*60*1000)); var expires = "; expires="+date.toGMTString(); } else var expires = ""; document.cookie = name+"="+value+expires+"; domain=my.domain.com; path=/; HttpOnly;"; Thanks - You cannot access an HttpOnly cookie in JavaScript. The following quotation is

I found numerous examples of adding the HttpOnly to my cookies but it does not work for me and I am not sure why. All the examples I found were the same and I copied this one from one of the posts that I had found. I am using .NET 3.5 under IIS 7.0. Hopefully someone can tell me what I am doing wrong? Thanks <rewrite> <outboundRules> <rule name="Add HttpOnly" preCondition="No HttpOnly"> <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" /> <action type="Rewrite" value="{R:0}; HttpOnly" /> <conditions> </conditions> </rule> <preConditions> <preCondition name="No HttpOnly">

As the question says can you find out if a cookie exists within Javascript if it is a HttpOnly? I don't need to access the information inside of it, just know it has one. A little more information on the situation is that there was originally a web server which used a cookie as an authentication token, and it was set to httponly as it was not used by the client so it added to the security. However now there is a change needed where the client needs to know if it has the cookie (as the site can work without the user being logged in, but if they are logged in (the auth cookie would exist) the

Is it possible to set the django csrf cookie to be http-only? Alike to SESSION_COOKIE_HTTPONLY with session cookie, but for the csrf one? A new setting, CSRF_COOKIE_HTTPONLY , is available in Django 1.6+. For Django1.6+, check the accepted answer. For Django1.5 and prev, there is not setting option for this. You could override the process_response() method of django.middleware.csrf.CsrfViewMiddleware and using the customized one instead of CsrfViewMiddleware in MIDDLEWARE_CLASSES class Foo(CsrfViewMiddleware): def process_response(self, request, response): response = super(Foo, self).process

I can see that HttpOnly cookies are good for security , however they make logging out without server interaction impossible, right? 1 So when the network fails, you can't log out and leave. I can imagine a workaround, but I'd like to ask first does it make sense to handle this case are there any standard solutions for this? 1 Assuming you're actually using them. If by logging out you mean removing the session cookie, then no, you cannot remove HttpOnly cookies from Javascript. It is, however, easy to set up two cookies, one HttpOnly and one insecure, such that only a combination of the two is

Which browsers do support HttpOnly cookies, and since which version? Please see http://www.codinghorror.com/blog/archives/001167.html for a discussion of HttpOnly cookies and XSS-prevention. Michael Haren Feel free to add to this list: Internet Explorer since 6 sp1 ( source , source ) Firefox since 2.0.0.5 ( source ) Opera since 9.5 (possibly earlier) ( source ) Safari since 4 ( source ) Chrome since 1.0.154 ( source ) Up to date results can be found here: http://www.browserscope.org/?category=security (linked from the OWASP article mentioned above) OWASP have this documented. See http://www