I have a slight confusion regarding HTTPOnly attribute in cookies. I am aware that its main use is for protection against XSS attacks. Let us assume there is web application which has set httponly enabled for the cookie. I used a interception proxy like Fiddler for this. But in all subsequent transactions the cookie is not accompanied with the httponly flag. is this a feature like set it once and the whole session is covered under httponly flag...or is this a implementation flaw. But again when monitored through a cookie manager addon,the properties show that httponly is enabled. My question is if its enabled why the cookie manager shows it enabled but not an interception proxy,is this the normal expected behaviour or a wrong implementation. Please help me understand.
Understanding the intended behaviour of HTTPOnly flag
1.5k Views Asked by Mechanic At
1
There are 1 best solutions below
Related Questions in XSS
- call Win32 API in flex to set Window Display Affinity
- Adding a listener to a VerticalScrollBar in flex
- Two ane file conflict in one flex mobile application
- Using AS3 Timer & distriqt Notification ANE To Send Notifications While In Sleep Mode
- Creating a vertically draggable container in Adobe Flex 3.5
- There is no save() method in FileReference Class of Flex
- Passing data between MXML files and opening one after Click on another
- How to check a Number in mxml?
- Strange flex module behavior.Module become null when add a little nonsense code
- AS3 can't find the load method on a Loader
Related Questions in SETCOOKIE
- call Win32 API in flex to set Window Display Affinity
- Adding a listener to a VerticalScrollBar in flex
- Two ane file conflict in one flex mobile application
- Using AS3 Timer & distriqt Notification ANE To Send Notifications While In Sleep Mode
- Creating a vertically draggable container in Adobe Flex 3.5
- There is no save() method in FileReference Class of Flex
- Passing data between MXML files and opening one after Click on another
- How to check a Number in mxml?
- Strange flex module behavior.Module become null when add a little nonsense code
- AS3 can't find the load method on a Loader
Related Questions in HTTPCOOKIE
- call Win32 API in flex to set Window Display Affinity
- Adding a listener to a VerticalScrollBar in flex
- Two ane file conflict in one flex mobile application
- Using AS3 Timer & distriqt Notification ANE To Send Notifications While In Sleep Mode
- Creating a vertically draggable container in Adobe Flex 3.5
- There is no save() method in FileReference Class of Flex
- Passing data between MXML files and opening one after Click on another
- How to check a Number in mxml?
- Strange flex module behavior.Module become null when add a little nonsense code
- AS3 can't find the load method on a Loader
Related Questions in HTTPONLY
- call Win32 API in flex to set Window Display Affinity
- Adding a listener to a VerticalScrollBar in flex
- Two ane file conflict in one flex mobile application
- Using AS3 Timer & distriqt Notification ANE To Send Notifications While In Sleep Mode
- Creating a vertically draggable container in Adobe Flex 3.5
- There is no save() method in FileReference Class of Flex
- Passing data between MXML files and opening one after Click on another
- How to check a Number in mxml?
- Strange flex module behavior.Module become null when add a little nonsense code
- AS3 can't find the load method on a Loader
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
HttpOnly is sent by the server in the Set-Cookie header to instruct the browser not to make the cookie available to javascript. The browser will still send it over http connections. The Set-Cookie header can contain all sorts of instructions for cookies, like when they expire, what domain they are for, whic path, whether they should only be sent over https(Secure flag) and HttpOnly. These are all instructions from the server to the browser, so there is no point in the browser sending them back to the server on each request.