Is it fine to send HTTPOnly cookies as response?

by Nishant   Last Updated May 08, 2018 17:04 PM

We can't access HTTPOnly cookies using the document.cookie API. Browser, however, has access to that because it keeps it in the response Header and the person who uses that machine can always see it.

Just imagine that I want to forward this to another site intentionally for using the same session, I could create a URL which sends this information as a response instead.

https://www.example.com/get_me_the_session_cookie

But wouldn't that mean I am basically creating the same vulnerability in my web application which HTTPOnly is trying to prevent malicious scripts from exploiting? There is an additional need of knowing the URL before-hand, so instead of a script which is hard-coded with document.cookie, it should have to be tailor-made for that website with the URL which might give the session cookie.

So, is it actually a good thing to do? Is there any way to intentionally do session sharing if HTTPOnly is set? Or is it like I just can't best of both worlds?

Tags : https cookie


Related Questions



Wordpress site and cookies: Browser dependence?

Updated May 19, 2018 05:04 AM


What percentage of users use a cookie blocker?

Updated April 13, 2015 20:01 PM

Subdomain can't access cookie of primary domain

Updated July 18, 2015 13:01 PM