Pete Freitag Pete Freitag

Firefox Now Supports HttpOnly Cookies

Published on July 19, 2007
By Pete Freitag
web

You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1. Firefox 2.0.0.5, which was released just the other day, now supports it.

When a cookie is HttpOnly the web browser should (see note about firefox implementation below) not allow client side scripts such as JavaScript to have access to the cookie. This can help mitigate the effects of cross site scripting (XSS) attacks.

To set a HttpOnly cookie with ColdFusion you need to use cfheader since cfcookie doesn't yet support HttpOnly.

<cfheader name="Set-Cookie" value="safe=maybe;HttpOnly">

It would be nice if the cfcookie tag simply had an attribute HttpOnly=true/false. Go make a wish. While you are at it it would also be nice to have a setting to make the CFID, CFTOKEN and jsessionid cookies httpOnly, or secure cookies.

Update: CF9 added a httponly setting to the CFCookie tag. And CF 9.0.1 adds HttpOnly to CFID and CFTOKEN cookies automatically.

Here's a MSDN doc with some additional info about HttpOnly.

Firefox's implementation of HttpOnly however still leaves open a big hole, as RSnake points out, you can do an XMLHttpRequest to get the cookie values from the HTTP response headers. When I test in IE 6 (RSnake's example doesn't work in IE), I don't have access to the Set-Cookie from the AJAX HTTP response header. +1 for MSIE.



security cookies httponly firefox ie microsoft ajax

Firefox Now Supports HttpOnly Cookies was first published on July 19, 2007.

If you like reading about security, cookies, httponly, firefox, ie, microsoft, or ajax then you might also like:

Weekly Security Advisories Email

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).

Comments

Either I'm miss reading something or you forgot the word "not" in the first sentence of the second paragraph (before the parenthesis).
by Jeremy Prevost on 07/19/2007 at 4:17:55 PM UTC
Shouldn't that be NOT allow? I was confused until I went to the MSDN site.
by David A Herman on 07/19/2007 at 6:18:44 PM UTC
You left a 'not' out of the 2nd paragraph - that confused me for a while because TFA goes on to say 'This attribute specifies that a cookie is not accessible through script. By using HTTP-only cookies, a Web site eliminates the possibility that sensitive information contained in the cookie can be sent to a hacker's computer or Web site with script.'
by Tom Chiverton on 07/20/2007 at 4:39:18 AM UTC
@Pete:

Did you mean to say:

"When a cookie is HttpOnly the web browser should *not* allow client side scripts such as JavaScript to have access to the cookie."

???
by Dan G. Switzer, II on 07/20/2007 at 7:44:19 AM UTC
@Dan

Yes that is what it should say, thanks, fixed.
by Pete Freitag on 07/23/2007 at 11:21:05 AM UTC
I'm a little confused and want to clarify. I have one main cookie file and I want to protect it's values. When I added :
<cfheader name="Set-Cookie" value="safe=maybe;HttpOnly">

to my Application file it works but as I tool around the site it sets that "safe" value multiple times which I don;t want. So I did:
<cfparam name="COOKIE.SECURITY" default="set; HttpOnly">

Is that doing the same thing and will it protect all my values? Or just the "SECURITY" value?
by Phil on 07/23/2008 at 8:20:53 AM UTC
FireFox will patch this bug in the 3.1 release https://bugzilla.mozilla.org/show_bug.cgi?id=380418
by Jim Manico on 09/24/2008 at 5:27:43 PM UTC