«
»

Firefox eats httpOnly cookies

Firefox has implemented httpOnly cookies in version 2.0.0.5.

What’s the big deal? How are they different? Basically, httpOnly cookies are mostly just regular cookies, usable in the standard cookie ways, but also tagged so that browsers keep them invisible to JavaScript. That means that if you have an XSS hole (Cross-site scripting, a technique for inserting JavaScript into sites and databases) in your website, it will be harder for malicious evil-doers to view cookies and to hijack user sessions. They can only be accessed by a HTTP request (which is probably what you as a developer intended).

In terms of technical implementation, it simply adds “HttpOnly” to the cookie header.

1
2
3
4
5
6
7
<pre>
# Standard cookie header
Set-Cookie: person_id=42; expires=Wednesday, 31-Dec-07 23:59:59 GMT;

# httpOnly cookie header
Set-Cookie: person_id=42; expires=Wednesday, 31-Dec-07 23:59:59 GMT; HttpOnly
</pre>

Internet Explorer added support for httpOnly cookies in IE 6.0. Safari and Opera still do not support them, but it’s planned for Opera version 9.5. I couldn’t find any hints online as to Safari’s plans.

PHP added support for setting httpOnly cookies and sessions in version 5.2. Ruby on Rails has a patch (#8895) ready that will hopefully make it into the next version.

This entry was posted on Friday, July 20th, 2007 at 9:11 am and is filed under JavaScript, News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply