adding httpOnly option#324
adding httpOnly option#324igorescobar wants to merge 1 commit intocarhartl:masterfrom igorescobar:patch-1
Conversation
|
An explanation would be nice. |
|
The explanation is on the other issue of your's, I thought that's sufficient. Pasting the link here as well: http://stackoverflow.com/questions/14691654/set-a-cookie-to-httponly-via-javascript Basically, you cannot write a cookie from the client that's supposed to be "not allowed on client". Imagine you have a httponly cookie set on the server. Do you expect it to be possible to be overwritten in the client (js) or not? |
|
I thought that I would be able to create it but never get it... |
|
Which is exactly what I want... My login screen is pure js. I want to set all my cookies but never be able to get or modify it again by the client. |
|
If you were able to set it, you were able to overwrite a cookie set on the server, and that would defeat the idea of HttpOnly. |
|
God damn it... |
|
Really, it doesn't work. There's a contradiction even in your own requirement, which a bit translated reads: I want to be able to set it but never set it again. There is no such API available that allows to write a cookie when it doesn't exist but no more when it does. |
|
Yep... makes sense... I thought that I would be able to a least create it... but it makes a lot of sense. Yep... I'm stupid ;) |
It should cover the HttpOnly cookie's option:
https://www.owasp.org/index.php/HttpOnly