• Skip to primary navigation
  • Skip to main content
Sal Ferrarello
  • About Sal Ferrarello
  • Speaking
  • Connect
    Mastodon GitHub Twitter (inactive)
You are here: Home / Draft / HttpOnly Cookies

HttpOnly Cookies

Last updated on January 28, 2019 by Sal Ferrarello

For fun, I was copying the wordpress_logged_in_ cookie on one of my sites so I could manually set it in another browser and log in without going through the authentication step. While it worked, I noticed I could read the wordpress_logged_in_ cookie from the Chrome developer tools but I could not read the cookie with JavaScript.

Screenshot of Chrome Developer Tools Displaying Cookies.

HTTP Only

This led me to learn you can create cookies that can only be accessed server side (not via JavaScript).

To prevent cross-site scripting (XSS) attacks, HttpOnly cookies are inaccessible to JavaScript’s Document.cookie API; they are only sent to the server. For example, cookies that persist server-side sessions don’t need to be available to JavaScript, and the HttpOnly flag should be set.

Looking at the screenshot of the Chrome developer tools, you’ll notice the HTTP column, which when checked, indicates the Cookie can only be accessed server side.

Limitations

Based on my reading, it does sound like there may still be ways to access the cookie via JavaScript if you jump through enough hoops. Nevertheless, this does make it more difficult to read a cookie in a cross-site scripting (XSS) attack.

Related: Secure Cookies

A cookie flagged as secure, is only sent to the server if the connection is secure (i.e. it uses https).

Related Reading

  • Jeff Atwood’s Protecting Your Cookies: HttpOnly
  • MDN HTTP Cookies: Secure and HttpOnly cookies
  • StackOverflow Which browsers do support HttpOnly cookies?
  • Creating an HTTP Only Cookie in PHP
Sal Ferrarello
Sal Ferrarello (@salcode)
Sal is a PHP developer with a focus on the WordPress platform. He is a conference speaker with a background including Piano Player, Radio DJ, Magician/Juggler, Beach Photographer, and High School Math Teacher. Sal can be found professionally at WebDevStudios, where he works as a senior backend engineer.

Share this post:

Share on TwitterShare on FacebookShare on LinkedInShare on EmailShare on Reddit
Warning! This is a draft, not a finalized post. See full draft disclosure.

Filed Under: Draft, Programming Tagged With: cookie, website

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 · Bootstrap4 Genesis on Genesis Framework · WordPress · Log in