Set a cookie to HttpOnly via Javascript
An HttpOnly
cookie means that it's not available to scripting languages like JavaScript. So in JavaScript, there's absolutely no API available to get/set the HttpOnly
attribute of the cookie, as that would otherwise defeat the meaning of HttpOnly
.
Just set it as such on the server side using whatever server side language the server side is using. If JavaScript is absolutely necessary for this, you could consider to just let it send some (ajax) request with e.g. some specific request parameter which triggers the server side language to create an HttpOnly cookie. But, that would still make it easy for hackers to change the HttpOnly
by just XSS and still have access to the cookie via JS and thus make the HttpOnly
on your cookie completely useless.
How can I create secure/httpOnly cookies with document.cookie?
See MDN:
A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it is sent only to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and should have the HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks.
You can't set it with document.cookie
because the entire point of the flag is to prevent it being set (or read) with document.cookie
.
Cookie secure flag using javascript
It is impossible to create HttpOnly
cookie with JavaScript. **HttpOnly**
Cookie means it is not accessible by scripting languages. And therefore it cannot be created by Javascript.
To prevent cross-site scripting (XSS) attacks, HttpOnly cookies are inaccessible to JavaScript's Document.cookie API; they are only sent to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and the HttpOnly flag should be set.
Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
How to read a HttpOnly cookie using JavaScript
Different Browsers enable different security measures when the HTTPOnly flag is set. For instance Opera and Safari do not prevent javascript from writing to the cookie. However, reading is always forbidden on the latest version of all major browsers.
But more importantly why do you want to read an HTTPOnly
cookie? If you are a developer, just disable the flag and make sure you test your code for xss. I recommend that you avoid disabling this flag if at all possible. The HTTPOnly
flag and "secure flag" (which forces the cookie to be sent over https) should always be set.
If you are an attacker, then you want to hijack a session. But there is an easy way to hijack a session despite the HTTPOnly
flag. You can still ride on the session without knowing the session id. The MySpace Samy worm did just that. It used an XHR to read a CSRF token and then perform an authorized task. Therefore, the attacker could do almost anything that the logged user could do.
People have too much faith in the HTTPOnly
flag, XSS can still be exploitable. You should setup barriers around sensitive features. Such as the change password filed should require the current password. An admin's ability to create a new account should require a captcha, which is a CSRF prevention technique that cannot be easily bypassed with an XHR.
Related Topics
How Does the (Function() {})() Construct Work and Why Do People Use It
Merge JavaScript Objects in Array with Same Key
Doesn't JavaScript Support Closures with Local Variables
Equivalent of String.Format in Jquery
Is Node.Js Native Promise.All Processing in Parallel or Sequentially
Convert String in Dot Notation to Get the Object Reference
Using Http Rest APIs with Angular 2
When Does Js Interpret {} as an Empty Block Instead of an Empty Object
How to Map More Than One Property from an Array of Objects
How to Execute Promises Sequentially, Passing the Parameters from an Array
Caching a Promise Object in Angularjs Service
How to Load Local Script Files as Fallback in Cases Where Cdn Are Blocked/Unavailable
Angularjs - Any Way for $Http.Post to Send Request Parameters Instead of JSON
How to Check If an Element Is Really Visible with JavaScript