Published on 2007-07-24 11:55:50

httpOnly Cookies have been added silently to Firefox 2.0.0.5, this will let you set cookies for html only and make it inaccessible from JavaScript using the document.cookie. An excellent security option to prevent against XSS, but still not available on many browsers such IE5.5 on mac. While httpOnly will prevent accessing cookies from JavaScript, you can still get these cookies using AJAX as illustrated in this example. The problem exists since long time on IE, but seems like FF took the feature with its vulnerabilities. Via ha.ckers.org.

The only problem I see with using this as protection against credential theft is that the cookies are still visible using XMLHTTPRequest. If you look at Alex's example, it looks secure because the cookie is not visible. But if you look at this example you can see that using XMLHTTPRequest you can still get access to the cookie by looking at the headers.

• Fusing Coffee and AJAX
• JSON-RPC-Java, JavaScript to Java AJAX communications library
• Rotating Ads with AJAX
• Ajax.NET library updated and soon Open sourced

• Click to meet people and chat
• [Contact us]

Member of the PHP Magazine Network, Copyright (C) 2005-2008 phpmagazine.net All Rights Reserved