Unable to send cookie with HTTPOnly flag in request header in safari

Question

I created cookies with HTTPOnly flag in Safari browser using java See Response header below.

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer:http://anil.mlbextrabases.com/SafariIssue/
User-Agent:Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Query String Parametersview URL encoded
userName:servlet
userPass:servlet
flagRequired:true
Response Headersview source
Content-Length:331
Content-Type:text/html;charset=ISO-8859-1
Date:Wed, 08 Aug 2018 09:23:45 GMT
Server:Apache-Coyote/1.1
Set-Cookie:userInfo="username: servletpassword: servlet"; Version=1; Comment="creating cookie"; Domain=anil.mlbextrabases.com; Max-Age=31536000; Expires=Thu, 08-Aug-2019 09:23:45 GMT; Path=";Path=/;HttpOnly;", JSESSIONID=076942707A8D62AD1296102A1593F664; Path=/SafariIssue; HttpOnly
Strict-Transport-Security:max-age=7776000; includeSubdomains

But cookies are not passed in subsequent requests in safari browser. While passing in other browsers like Chrome, Firefox, IE, Edge When i removed HTTPOnly flag cookies are passing good in Safari browser as well.

I did a lot of R&D over developer communities. But it not helped.

Did you ever resolve this issue? I'm struggling with the same thing — Aheho, Jun 13 '19 at 16:10
More info - [HERE](https://stackoverflow.com/questions/42301884/safari-not-setting-cors-cookies-using-js-fetch-api) — Kamil Kiełczewski, Apr 06 '20 at 08:34

score -2 · Answer 1 · answered Jun 14 '21 at 22:23

HTTPOnly cookies by definition are created to NOT allow access from javascript. This is a security control to make sure that a hacker can not exploit your software by extracting valid cookie values (like session IDs)

HttpOnly is a flag the website can specify about a cookie. In other words, the webserver tells your browser “Hey, here is a cookie, and you should treat is as HttpOnly”.

An HttpOnly Cookie is not accessible by the JavaScript. Only the browser knows about it, and it doesn’t give it to the JavaScript code in the page. At first, it might sound like a limitation, and it is. However, the goal of that is that we cannot trust the JavaScript code. An attacker may use JavaScript to steal our authentication token stored in a cookie, and then access the website with our account. With HttpOnly cookies, this is not possible. This makes XSS attacks (the one we just described) harder to perform.

It is a recognized best practice to share any authentication data only with HttpOnly cookies. Using a standard cookie for authentication is a known vulnerability we should avoid in any case.

https://www.ictshore.com/ict-basics/httponly-cookie/

This doesn’t answer the OPs question though. Why won’t safari send these httpOnly cookies along with subsequent requests but chrome and Edge etc will? — AndyMoose, Dec 09 '21 at 17:25

Unable to send cookie with HTTPOnly flag in request header in safari

1 Answers1