For fun, I was copying the wordpress_logged_in_ cookie on one of my sites so I could manually set it in another browser and log in without going through the authentication step. While it worked, I noticed I could read the wordpress_logged_in_ cookie from the Chrome developer tools but I could not read the cookie with JavaScript.
HTTP Only
This led me to learn you can create cookies that can only be accessed server side (not via JavaScript).
To prevent cross-site scripting (XSS) attacks, HttpOnly cookies are inaccessible to JavaScript’s Document.cookie API; they are only sent to the server. For example, cookies that persist server-side sessions don’t need to be available to JavaScript, and the HttpOnly flag should be set.
Looking at the screenshot of the Chrome developer tools, you’ll notice the HTTP column, which when checked, indicates the Cookie can only be accessed server side.
Limitations
Based on my reading, it does sound like there may still be ways to access the cookie via JavaScript if you jump through enough hoops. Nevertheless, this does make it more difficult to read a cookie in a cross-site scripting (XSS) attack.
Related: Secure Cookies
A cookie flagged as secure, is only sent to the server if the connection is secure (i.e. it uses https).
Related Reading
- Jeff Atwood’s Protecting Your Cookies: HttpOnly
- MDN HTTP Cookies: Secure and HttpOnly cookies
- StackOverflow Which browsers do support HttpOnly cookies?
- Creating an HTTP Only Cookie in PHP
Leave a Reply