Firefox Now Supports HttpOnly Cookies
By Pete Freitag
You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1. Firefox 126.96.36.199, which was released just the other day, now supports it.
When a cookie is
To set a
HttpOnly cookie with ColdFusion you need to use
cfcookie doesn't yet support
<cfheader name="Set-Cookie" value="safe=maybe;HttpOnly">
It would be nice if the
cfcookie tag simply had an attribute HttpOnly=true/false. Go make a wish. While you are at it it would also be nice to have a setting to make the
jsessionid cookies httpOnly, or secure cookies.
Update: CF9 added a httponly setting to the CFCookie tag. And CF 9.0.1 adds HttpOnly to CFID and CFTOKEN cookies automatically.
Here's a MSDN doc with some additional info about
Firefox's implementation of
HttpOnly however still leaves open a big hole, as RSnake points out, you can do an
XMLHttpRequest to get the cookie values from the HTTP response headers. When I test in IE 6 (RSnake's example doesn't work in IE), I don't have access to the
Set-Cookie from the AJAX HTTP response header. +1 for MSIE.
Firefox Now Supports HttpOnly Cookies was first published on July 19, 2007.
If you like reading about security, cookies, httponly, firefox, ie, microsoft, or ajax then you might also like:
- Client Variable Cookie CFGLOBALS Includes Session Ids
- Setting up HTTPOnly Session Cookies for ColdFusion
- Firefox 3.5 Introduces Origin Header, Security Features
- AJAX on IE - back to the IFRAME
Weekly Security Advisories Email
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).