163

I have a cookie that is NOT HttpOnly Can I set this cookie to HttpOnly via JavaScript?

Improve this question
4
  • 1
    How would it be possible to set a cookie by JavaScript which JavaScript itself isn't supposed to be able to manipulate? Just set it in the server side. Commented Feb 4, 2013 at 17:05
  • 2
    The Cookie is NOT HttpOnly and i want to set it to HttpOnly via Javascript. Commented Feb 4, 2013 at 17:06
  • 10
    I think you miss the point of HttpOnly. Commented Feb 4, 2013 at 17:06
  • 6
    Great question. There really isn't any downside to setting an HttpOnly cookie from the client as far as security goes. So you'd think that it would be allowed. But of course it isn't. Commented Sep 30, 2020 at 23:49

1 Answer 1

Reset to default
315
+50

An HttpOnly cookie means that it's not available to scripting languages like JavaScript. So in JavaScript, there's absolutely no API available to get/set the HttpOnly attribute of the cookie, as that would otherwise defeat the meaning of HttpOnly.

Just set it as such on the server side using whatever server side language the server side is using. If JavaScript is absolutely necessary for this, you could consider to just let it send some (ajax) request with e.g. some specific request parameter which triggers the server side language to create an HttpOnly cookie. But, that would still make it easy for hackers to change the HttpOnly by just XSS and still have access to the cookie via JS and thus make the HttpOnly on your cookie completely useless.

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

I'm wondering how could a client side app like "EditThisCookie" browser extension change the HttpOnly flag to false.
@BalusC Browser extensions are written in JS and have been for some time developer.chrome.com/extensions "You write them using web technologies such as HTML, JavaScript, and CSS." developer.mozilla.org/en-US/Add-ons/WebExtensions/… "They are written using standard Web technologies - JavaScript, HTML, and CSS - plus some dedicated JavaScript APIs. " And example of an open source one written in 2013 github.com/Asana/Chrome-Extension-Example
I don't really see how being able to set HttpOnly from JS would "defeat the meaning of HttpOnly", so long as the cookie is still unreadable from the script...
MDN says it's forbidden. developer.mozilla.org/en-US/docs/Web/HTTP/…
@M.I.Wright It could potentially allow you to write over a httponly cookie, which would then allow you to brute force session cookies etc. so XSS attacks (especially DoS) would still be possible.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.