2

Ive made some configurations to (finally) have my cookies set on HTTP only.

"Seem" to work.

Ive tried them with postman and I have the following:

When I hit the login page:

On the cookies section, my cookie with name JSESSIONID appears to be HTTP only (it has the check)

When I enter to the logged area , the same result...

The headers dont give me more details.

Then,

I check it with google chrome. I open the developers toolbar.

I load the login page.

At the headers on the response headers I get 

Set-Cookie: JSESSIONID=434434..... HttpOnly

So, its fine (I guess).

Then I reload the page (or sign in).

Then the problem:

No response headers received.

The Request Headers brings my cookie (with the same ID at then the previous one) without the httponly, host info or any other cookie value I set before.

At the cookies tab I get Request Cookies only and no Response cookie.

And the request cookie is non http-only

enter image description here

At my resources tab, the Cookie is there, as HTTP only and with the previous values I set.

My question now is... Is it a really http-only cookie? Or my configuration is not properly set?

Should I always get the response cookie or the request cookie should be always http-only (In case I am trying to set it as http-only) or is this behavior normal (or at least accepted) ?

When I try to print my cookie with Javascript at both scenarios I get a null as response (what makes me think then it is correct).

Ideas?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
jpganz18
  • 5,508
  • 17
  • 66
  • 115

1 Answers1

2

Client doesn't send cookie attributes other than name and value back to server.

See also RFC6265 section 4.2.2 (emphasis mine).

4.2.2. Semantics

Each cookie-pair represents a cookie stored by the user agent. The cookie-pair contains the cookie-name and cookie-value the user agent received in the Set-Cookie header.

Notice that the cookie attributes are not returned. In particular, the server cannot determine from the Cookie header alone when a cookie will expire, for which hosts the cookie is valid, for which paths the cookie is valid, or whether the cookie was set with the Secure or HttpOnly attributes.

Everything's behaving as specified.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • so, does it mean that cookie is "http-only" being like that? – jpganz18 Feb 26 '16 at 15:23
  • If the server has set it HttpOnly, yes. – BalusC Feb 26 '16 at 15:33
  • If the second response headers contains the same cookie but without HttpOnly, then you've set all by yourself in the server side. – BalusC Feb 26 '16 at 16:08
  • yes, it contains the same cookie but without the HttpOnly... but when you say "you've set all by yourself in the server side" ... means the cookie is set as HttpOnly correctly? – jpganz18 Feb 26 '16 at 17:43
  • 1
    The ones in response are set by yourself. The ones in request (as in your screenshot) are sent by client. I guess you're confusing request with response. – BalusC Feb 26 '16 at 19:12
  • umm makes sense, so, those cookies are the ones being sent to be validated at my application, right? – jpganz18 Feb 26 '16 at 20:18
  • 1
    This is perhaps helpful to get some fundamental understanding of cookies and sessions: http://stackoverflow.com/q/3106452 – BalusC Feb 26 '16 at 20:20
  • `HttpOnly` is for the *server* to tell the *client*: "hey, don't send this cookie back to me if the request is not over a user HTTP session". It also prevents client-side scripts from accessing the cookie and sending it back. See [this HttpOnly overview](https://owasp.org/www-community/HttpOnly). – Remy Lebeau Jan 30 '23 at 20:05