Stack Overflow
Stack Overflow

Questions tagged [cookie-httponly]

Questions related to cookies which should be sent only via HTTP. These cookies are not accessible via JavaScript.

Questions related to cookies which should be sent only via HTTP. These cookies are not accessible via JavaScript.

Related Tags:

199 questions
69
votes
4 answers

Laravel 5.6 - Passport JWT httponly cookie SPA authentication for self consuming API?

NOTE: I had 4 bounties on this question, but non of the upvoted answers below are the answer needed for this question. Everything needed is in Update 3 below, just looking for Laravel code to implement. UPDATE 3: This flow chart is exactly the flow…
Wonka
  • 8,244
  • 21
  • 73
  • 121
36
votes
1 answer

How to delete cookie with HttpOnly using PHP or JS

I have a cookie with these parameters: Name: workgroup_session_id Content: "" Domain: agrobman1.tsi.lan Path: / Send for: Any kind of connection Accessible to script: No (HttpOnly) Created: Wednesday, November 4, 2015 at 9:31:58…
anton2g
  • 923
  • 6
  • 12
  • 29
28
votes
3 answers

Tomcat 7 sessionid cookie disable http-only and secure

I have a web application which is running on a Tomcat 7 server. The cookie with session id has by default the flags HttpOnly and Secure. I want to disable this flags for the JSESSIONID cookie. But it wont work. I have changed this in my web.xml file…
JEE-Dev
  • 281
  • 1
  • 3
  • 5
27
votes
1 answer

Logout with HttpOnly cookie

I can see that HttpOnly cookies are good for security, however they make logging out without server interaction impossible, right?1 So when the network fails, you can't log out and leave. I can imagine a workaround, but I'd like to ask first does…
maaartinus
  • 44,714
  • 32
  • 161
  • 320
24
votes
9 answers

Setting an httponly cookie with javax.servlet 2.5

here is a function that sets a cookie: public void addCookie(String cookieName, String cookieValue, Integer maxAge, HttpServletResponse response) { Cookie cookie = new Cookie(cookieName, cookieValue); cookie.setPath("/mycampaigns"); …
aamiri
  • 2,420
  • 4
  • 38
  • 58
14
votes
2 answers

How to set an HTTPONLY cookie in Flask

I read Set "secure" attribute for Flask cookies, but it's for setting secure cookies, but I'm trying to set HTTPONLY cookies. They both are kind-of-secure cookies, but differ in specs (read more). The cookie needs to be protected because it is about…
이기름
  • 157
  • 1
  • 1
  • 9
11
votes
1 answer

HttpOnly cookies not sent by request

I want to use HttpOnly cookies and I set it in Java as follows: ... Cookie accessTokenCookie = new Cookie("token",…
István
  • 5,057
  • 10
  • 38
  • 67
8
votes
2 answers

Do Mobile Browsers send httpOnly cookies via the HTML5 Audio-Tag?

I try to play some mp3 files via the html5 audio-tag. For the desktop this works great (with Chrome), but when it comes to the mobile browsers (also Chrome (for Android)), there seem to be some difficulties: I protected the stream with some password…
JepZ
  • 1,159
  • 14
  • 27
7
votes
0 answers

httpOnly cookie in react-native for JWT refresh-token

I have an express-node server . I send JWT access token in response and also a JWT refresh token via httpOnly cookie only . When using it in browser, that refresh token is automatically sent with every subsequent request. But when I tried to use…
subhadip pahari
  • 799
  • 1
  • 7
  • 16
7
votes
1 answer

Javascript won't set httpcookie received in XHR response

I have a basic SPA (react) <-> API (net core 2.2) setup, with 2 environments: dev and prod (small project). There is an authentication mechanism on the API side that checks the presence of a httponly cookie in every request containing a JWT. On the…
Binarynam
  • 144
  • 7
6
votes
0 answers

ASP.NET HttpOnly cookie in web.config not working

From everything I've read online, a web.config like this should enable HttpOnly cookies, in ASP.NET 2.0. However this is not working. ... Is…
jmosesman
  • 716
  • 1
  • 11
  • 24
5
votes
1 answer

How to use http only cookie with django rest framework?

I read about some of the issues related to storing jwt token in local storage that's why I am trying to store token in http-only cookie. I am using following approach. from rest_framework.views import APIView from rest_framework.response import…
Abhishek Kumar
  • 125
  • 3
  • 10
4
votes
1 answer

Avoid refresh token for authentication when using HttpOnly cookie

I have a solution for an authentication system without using refresh token. Please tell me where are the vulnerabilities of this method. I assume the following: Client and Server are on the same domain. Client is a browser that support HttpOnly…
47ndr
  • 583
  • 5
  • 23
4
votes
0 answers

Django: How do I allow views and methods with AllowAny permission to bypass authentication with HttpOnly JWT token cookies?

I have applied JWT authentication with HttpOnly cookies using a custom middleware. Now, the middleware checks for the presence of access and refresh tokens as HttpOnly cookies in every request. Everything works well. But, it retuns 'KeyError':…
forest
  • 1,312
  • 3
  • 20
  • 47
4
votes
1 answer

How does HttpOnly cookie protect against XSS/Injection attack if they are passed automatically with every request?

From what I understand, HttpOnly cookies cannot be read by client js but they are passed by the browser with any subsequent requests. If an attacker is able to inject js in to a web page and makes a request to the endpoint, it would still go through…
Aravind
  • 550
  • 7
  • 17
1
2 3
13 14