How to read a HttpOnly cookie using JavaScript
Different Browsers enable different security measures when the HTTPOnly flag is set. For instance Opera and Safari do not prevent javascript from writing to the cookie. However, reading is always forbidden on the latest version of all major browsers.
But more importantly why do you want to read an HTTPOnly
cookie? If you are a developer, just disable the flag and make sure you test your code for xss. I recommend that you avoid disabling this flag if at all possible. The HTTPOnly
flag and "secure flag" (which forces the cookie to be sent over https) should always be set.
If you are an attacker, then you want to hijack a session. But there is an easy way to hijack a session despite the HTTPOnly
flag. You can still ride on the session without knowing the session id. The MySpace Samy worm did just that. It used an XHR to read a CSRF token and then perform an authorized task. Therefore, the attacker could do almost anything that the logged user could do.
People have too much faith in the HTTPOnly
flag, XSS can still be exploitable. You should setup barriers around sensitive features. Such as the change password filed should require the current password. An admin's ability to create a new account should require a captcha, which is a CSRF prevention technique that cannot be easily bypassed with an XHR.
how to read HttpOnly cookies using JavaScript?
You can't - thats the whole point of HttpOnly
A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it is sent only to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and should have the HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks
Info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
If your cookie does not contain sensitive info (such as a server-side session) then it should not be marked HttpOnly
!
Check if httponly cookie exists in Javascript
No. And see Rob's comments below.
See this, which you probably already saw - http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly
An HttpOnly cookie is not accessible via non-HTTP methods, such as
calls via JavaScript (e.g., referencing "document.cookie")...
Edit: Removed undefined
response, I wrote a script that you may not be using :)
Can someone copy http-only cookie from client pc?
The whole point of HttpOnly
cookies is that they can't be accessed by JavaScript.
Reading http-only cookie is always forbidden on the latest version of all major browsers.
But more importantly why do you want to read an HTTPOnly
cookie if you are not an attacker?
And someone can not copy HttpOnly
cookies. Its purpose is being inaccessible by script.
Related Topics
R Shiny Build Links Between Tabs
Access JavaScript Property Case-Insensitively
Js Replace Not Working on String
JavaScript Call to Swift from Uiwebview
How Should Look a Application.Scss File in Ruby
JavaScript in Wkwebview - Evaluatejavascript VS Adduserscript
Programmatically Select Text in a Contenteditable HTML Element
Calling Node.Js Script from Rails App Using Execjs
This' Different Between Repl and Script
Programming Language Independent Model Validation
How to Run Node Js Code from Npm Inside of Swift
JavaScript Module Pattern with Example
How to Use Protractor on Non Angularjs Website
(...()) VS. (...)() in JavaScript Closures
Implement JavaScript Alert and Confirm on Wkuidelegate Swiftui