HttpOnly Cookies

Written 11/3/2017

What is HttpOnly

HttpOnly cookies were introduced by Microsoft Internet Explorer developers in 2002, for Internet Explorer 6 SP1. HttpOnly is a supplementary flag, which is included in the SetCookie HTTP response header.

How does it work

By the use of the HttpOnly flag, you can mitigate the risk of client side script accessing a protected cookie. The flag must be set when creating the cookie and the browser must support HttpOnly cookies for it to work.
When an HttpOnly flag is part of the HTTP response header and when the browser supports HttpOnly, it is not possible to access the cookie through client side script.

If a cross-site scripting flaw exists, and a end-user accesses a web page that exploits this cross-site scripting flaw, the browser will not reveal the cookie to a third party.

Unsupported browsers

There is no risk on the user experience, as such, on using HttpOnly. You do not risk that the cookie is not set, if the browser does not support HttpOnly cookies. But as a developer, you should be aware, that you have no guarantee, that the HttpOnly flag is set on the cookie.

If a piece of code on a website is creating a cookie, and trying to set it as HttpOnly, and the browser does not support HttpOnly, the only consequence, is that the HttpOnly flag will be ignored by the browser, and the cookie will be created as a traditional cookie, which is accessable from a script.