For fun, I was copying the
wordpress_logged_in_ cookie on one of my sites so I could manually set it in another browser and log in without going through the authentication step. While it worked, I noticed I could read the
Looking at the screenshot of the Chrome developer tools, you’ll notice the
HTTP column, which when checked, indicates the Cookie can only be accessed server side.
Related: Secure Cookies
A cookie flagged as
secure, is only sent to the server if the connection is secure (i.e. it uses
- Jeff Atwood’s Protecting Your Cookies: HttpOnly
- MDN HTTP Cookies: Secure and HttpOnly cookies
- StackOverflow Which browsers do support HttpOnly cookies?
- Creating an HTTP Only Cookie in PHP