Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: Reviewing security parameters
From: Matt Summers <matt () pd9soft com>
Date: Fri, 16 Apr 2004 17:31:20 -0500

You add this attribute to the cookie in the HTTP response header.
http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp

Mozilla has plans to follow suit.
http://bugzilla.mozilla.org/show_bug.cgi?id=178993


Jared wrote:

On Apr 16, 2004, at 3:01 PM, V. Poddubniy wrote:

Don't forget to set cookie as HttpOnly (this is useful at least for
users of IE 6 SP1). This will tell browser not to tell on-page scrips
(javascript, etc.) the cookie.


how does one do this? I was under the impression that you could set a cookie to only be sent via HTTPS/SSL, but not with any other restrictions.

Is this a feature that is unique to a particular web application environment, i.e. ASP.Net, PHP, JSP?

cheers,

- Jared





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]