开发者

Should a session cookie always be HttpOnly?

开发者 https://www.devze.com 2023-03-22 16:48 出处：网络

Should a session 开发者_运维技巧cookie always be HttpOnly?There is very little reason why JavaScript should access the session cookie. The only one I\'ve come across is one where flash had to have acc

相关专题：security session xss

Should a session 开发者_运维技巧cookie always be HttpOnly?

There is very little reason why JavaScript should access the session cookie. The only one I've come across is one where flash had to have access to the cookie because it had to make its own requests that were authorised via the same cookies. And to give flash the cookies I had to print the cookies onto the page (which made them available to JS).

That still would have worked with HttpOnly flag set (but that flag would have been redundant).

In short, yes, set the flag.

If you only ever want to access it via HTTP (not JavaScript), then yes.

Some older browsers allowed you to dig in the headers via XHR for the cookie. I believe this has been fixed in newer versions.