Secure and HTTPOnly flags
440 views
Skip to first unread message
Vikas Singhal
Jun 18, 2013, 6:31:40 AM6/18/13
to null-...@googlegroups.com
I understand the difference between these two flag necessary for cookie protection. What I am not able to figure out is; if the server is using Secure flag does it imply HTTPOnly by default or you have to use both the flags together.
Someone, please clarify this.
Regards,
Vikas
Anant Shrivastava
Jun 18, 2013, 6:38:21 AM6/18/13
to null-...@googlegroups.com
secure just says send only over secure channel
httponly says do not make it available for DOM
you need to specify both.
-Anant
--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Anant Shrivastava
Jun 18, 2013, 6:55:31 AM6/18/13
to null-...@googlegroups.com
Shirish Padalkar
Jun 18, 2013, 6:40:53 AM6/18/13
to null-...@googlegroups.com
Hi,
In simple words, secure flag is used to tell browser to transmit cookie only over HTTPS connection, while HTTPOnly flag restricts the access to cookie only for transmission to server i.e. Javascript will not have access to the cookie.
Now, it depends on your use case. You can have any combination of these settings. If your application needs to manipulate cookie using Javascript, then probably you would need to setup HTTPOnly flag to false. But IMO it's still a good idea to have it secure.
Now, it depends on your use case. You can have any combination of these settings. If your application needs to manipulate cookie using Javascript, then probably you would need to setup HTTPOnly flag to false. But IMO it's still a good idea to have it secure.
I hope this helps.
On Tue, Jun 18, 2013 at 4:01 PM, Vikas Singhal <vikas.pr...@gmail.com> wrote:
--
khusha...@gmail.com
Jun 18, 2013, 7:56:35 AM6/18/13
to T
Hi,
If my app is on SSL, then why we need secure flag which only works when ssl is enabled, will HTTPONLY does not suffice the requirement
If my app is on SSL, then why we need secure flag which only works when ssl is enabled, will HTTPONLY does not suffice the requirement
From: Shirish Padalkar <shiri...@gmail.com>
Sender: null-...@googlegroups.com
Date: Tue, 18 Jun 2013 16:10:53 +0530
ReplyTo: null-...@googlegroups.com
Subject: Re: [null] Secure and HTTPOnly flags
Anant Shrivastava
Jun 18, 2013, 8:15:06 AM6/18/13
to null-...@googlegroups.com
Asuming your whole application runs on port 443 and no other http port is open and will never be opened in future then you can start thinking that httponly might suffice the requirements. (in that case i would remind you of sslstrip)
however those thinking in that direction i would suggest having a look at this long chain of arguments and counter arguments discussing this issue of whether to use secure in case whole app is on ssl.
(Link requires linkedin account and require you to join WAST - Web Application Security Testing group. However the discussion is worth the pain.)
for those not with patience to read the whole here is the crux : even though you might not have need for it setting secure + httponly doesn't adversely affect server performance however in future this simple step might help you in cases where a misconfiguration might divulge something. so following a defence in depth attitude it is suggested to set both as true.
Anant Shrivastava
GWAPT | CEH | RHCE
Mob : 91-9880166033
E-mail : an...@anantshri.info
Web : http://anantshri.info
GWAPT | CEH | RHCE
Mob : 91-9880166033
E-mail : an...@anantshri.info
Web : http://anantshri.info
Akash
Jun 18, 2013, 8:50:56 AM6/18/13
to null-...@googlegroups.com
Secure flag will ensure that even if there is MITM (sslstrip) scenario unless the transport is TLS the cookie will not travel over the wire (job of the browser).
Warm regards,
Akash Mahajan
That Web Application Security Guy | +91 99 805 271 82
akashm.com | @makash on twitter | linkd.in/webappsecguy
OWASP Bangalore Chapter Lead | null Community Manager
Akash Mahajan
That Web Application Security Guy | +91 99 805 271 82
akashm.com | @makash on twitter | linkd.in/webappsecguy
OWASP Bangalore Chapter Lead | null Community Manager
prasanna.k
Jun 18, 2013, 1:31:25 PM6/18/13
to null-...@googlegroups.com
Dude
it still does not say the cookie is not part of the DOM. It just means client JS cant access it .. I will test this tomm we can then confirm. Interesting chat though.
PK
Anant Shrivastava
Jun 18, 2013, 2:54:07 PM6/18/13
to null-...@googlegroups.com
This should throw more light on the subject.
its RFC specification however vendor implementation may vary.
-Anant Shrivastava
Vikas Singhal
Jun 19, 2013, 12:33:28 AM6/19/13
to null-...@googlegroups.com
Thanks everyone, very helpful.
Regards,
Vikas
Reply all
Reply to author
Forward
0 new messages