146

I have a cookie that is NOT HttpOnly Can I set this cookie to HttpOnly via JavaScript?

Eric Hotinger
  • 8,957
  • 5
  • 36
  • 43
  • 1
    How would it be possible to set a cookie by JavaScript which JavaScript itself isn't supposed to be able to manipulate? Just set it in the server side. – BalusC Feb 04 '13 at 17:05
  • 2
    The Cookie is NOT HttpOnly and i want to set it to HttpOnly via Javascript. –  Feb 04 '13 at 17:06
  • 9
    I think you miss the point of HttpOnly. – BalusC Feb 04 '13 at 17:06
  • 6
    Great question. There really isn't any downside to setting an HttpOnly cookie from the client as far as security goes. So you'd think that it would be allowed. But of course it isn't. – PHP Guru Sep 30 '20 at 23:49

1 Answers1

285

An HttpOnly cookie means that it's not available to scripting languages like JavaScript. So in JavaScript, there's absolutely no API available to get/set the HttpOnly attribute of the cookie, as that would otherwise defeat the meaning of HttpOnly.

Just set it as such on the server side using whatever server side language the server side is using. If JavaScript is absolutely necessary for this, you could consider to just let it send some (ajax) request with e.g. some specific request parameter which triggers the server side language to create an HttpOnly cookie. But, that would still make it easy for hackers to change the HttpOnly by just XSS and still have access to the cookie via JS and thus make the HttpOnly on your cookie completely useless.

Jason Law
  • 965
  • 1
  • 9
  • 21
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • 4
    I'm wondering how could a client side app like "EditThisCookie" browser extension change the HttpOnly flag to false. – pavanw3b Oct 05 '15 at 07:34
  • 1
    @PavanW3b: It doesn't use a client side scripting language like JavaScript for that. It's just a browser extension. – BalusC Oct 05 '15 at 07:34
  • I figured out from the below article and comment that Browser Extension has an elevated privilege to modify HttpOnly cookie. http://www.troyhunt.com/2013/03/c-is-for-cookie-h-is-for-hacker.html#comment-2264963488 – pavanw3b Oct 06 '15 at 08:48
  • 1
    @Pavanw3b: Browser extensions are not written in JavaScript. They are written in browser native language/framework. The enduser has still no control over that by JavaScript means. It's a completely different subject/perspective. – BalusC Oct 06 '15 at 09:05
  • 11
    @BalusC Browser extensions are written in JS and have been for some time https://developer.chrome.com/extensions "You write them using web technologies such as HTML, JavaScript, and CSS." https://developer.mozilla.org/en-US/Add-ons/WebExtensions/What_are_WebExtensions "They are written using standard Web technologies - JavaScript, HTML, and CSS - plus some dedicated JavaScript APIs. " And example of an open source one written in 2013 https://github.com/Asana/Chrome-Extension-Example – Justin Hamade Jan 25 '17 at 18:36
  • 114
    I don't really see how being able to set HttpOnly from JS would "defeat the meaning of `HttpOnly`", so long as the cookie is still unreadable from the script... –  Dec 25 '17 at 02:06
  • 1
    @M.I.Wright: it's possible to create cookies using JS. OP's intent is to set it `HttpOnly` while creating cookie in JS. – BalusC Dec 25 '17 at 10:24
  • 8
    MDN says it's forbidden. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#JavaScript_access_using_Document.cookie – mpoisot Sep 21 '19 at 21:20
  • 13
    @M.I.Wright It could potentially allow you to write over a httponly cookie, which would then allow you to brute force session cookies etc. so XSS attacks (especially DoS) would still be possible. – Rick Jun 13 '20 at 19:06
  • 1
    @BalusC Have recently posted a somewhat [related answer](https://stackoverflow.com/a/73599289/17865804), and the part where you say _"still make it easy for hackers to change the `HttpOnly` by just XSS and still have access to the cookie via JS..."_ makes me wonder if that's possible. If, for example, you send an ajax request to the server, which will respond with a `Set-Cookie` header, including the `HttpOnly` flag, how could an attacker access the cookie via JS, since `HttpOnly` cookies are not accessible via JS (as well as one can't create cookies via JS that include the `HttpOnly` flag)? – Chris Sep 07 '22 at 13:20