I have a cookie that is NOT HttpOnly Can I set this cookie to HttpOnly via JavaScript?
I have a cookie that is NOT HttpOnly Can I set this cookie to
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
An
HttpOnlycookie means that it’s not available to scripting languages like JavaScript. So in JavaScript, there’s absolutely no API available to get/set theHttpOnlyattribute of the cookie, as that would otherwise defeat the meaning ofHttpOnly.Just set it as such on the server side using whatever server side language the server side is using. If JavaScript is absolutely necessary for this, you could consider to just let it send some (ajax) request with e.g. some specific request parameter which triggers the server side language to create an HttpOnly cookie. But, that would still make it easy for hackers to change the
HttpOnlyby just XSS and still have access to the cookie via JS and thus make theHttpOnlyon your cookie completely useless.