• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Http only cookie

Http only cookie







Total Views
Views on SlideShare
Embed Views



41 Embeds 28,228

http://ued.taobao.com 16708
http://www.oschina.net 5127
http://www.monoideas.com 4882
http://cloudbbs.org 597
http://www.linuxeden.com 472
http://blogread.cn 221
http://xianguo.com 75
http://www.open-open.com 27
http://www.itfeed.com 18
https://twitter.com 15
http://m.oschina.net 12
http://www.kingofcoders.com 8
http://www.linux265.com 8
http://www.itfeed.cn 6
http://localhost 4
http://wiki.trs.org.cn 4 4
http://monoideas.com 3
http://cache.baidu.com 3 3
http://www.12pir2.com 2
http://www.zhuaxia.com 2
http://www.qileke.com 2
http://feeds.feedburner.com 2
http://www.oofeeds.com 2 2 2
http://www.hzqishengzs.com 2
http://www.tuicool.com 2
http://www.cloudbbs.org 2
http://translate.googleusercontent.com 1
http://www.oschina.net.sixxs.org 1
http://lib.open-open.com 1
http://www.1320520.com 1
http://wmail3.mail.10086.cn 1
http://www.kuqin.com 1
http://feed.feedsky.com 1
http://bbs.unixcom.cn 1
http://wse.baidu.com 1
http://www.taojinzhan.com 1
http://www.16kan.com 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Http only cookie Http only cookie Presentation Transcript

    • HttpOnly CookieSomething You Don’t Know About HTTP RDSS Team 2012-04
    • Author 兰七 yuxia0025@gmail.com
    • AboutRDSSResearch on Domain Specific SolutionWe focus on existed specification, solution, production etc.We put our research into practice.
    • Contents• Cookie Definition• HttpOnly Cookie• Browsers Supporting• Cross-site Scripting• XMLHTTPRequest• Finally
    • Cookie Definition
    • • A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a piece of data stored by a website within a browser, and then subsequently sent back to the same website by the browserRefer: http://en.wikipedia.org/wiki/Http_cookie#HttpOnly_cookie 6
    • HttpOnly Cookie
    • Definition• HttpOnly is an additional flag included in a Set-Cookie HTTP response header.an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests.Refer: http://en.wikipedia.org/wiki/Http_cookie#HttpOnly_cookie
    • Born • HttpOnly cookies were first implemented in 2002 by Microsoft Internet Explorer developers for Internet Explorer 6 SP1Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 9 3F
    • Feather • restricting access from other non- HTTP APIs (such as JavaScript). • restriction mitigates but does not eliminate the threat of session cookie theft via cross-site scripting (XSS).Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 10 3F
    • Syntax • Set-Cookie: USER(key)=123(value); expires=Wednesday, 09-Nov-99 23:12:40 GMT; HttpOnlyRefer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 11 3F
    • Set httpOnly Using PHP• Permanently. session.cookie_httponly = True (in php.iniPHP)• Setcookie("testcookie", $value, time()+3600, "/", "www.xx.com", 0 , 1);Refer: http://www.php.net/manual/en/function.setcookie.php 12
    • Browsers Supporting
    • Support • the cookie cannot be accessed through client side script, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 3F
    • NOT Support • The HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. – document.cookieRefer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 3F
    • Browsers Supporting HttpOnly Cookie ie6 ie7 ie8 ie9 chrome firefox safari prevent write yes yes yes yes yes yes yes prevent read yes yes yes yes yes yes YesRefer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 3F
    • Refer: http://www.browserscope.org/security/test
    • WebGoatRefer: http://code.google.com/p/webgoat/
    • Cross-Site Scripting
    • Browser• is a server-side vulnerability that is often created when rendering user input as html.• e.g. expose sensitive information about users of the web siteRefer: http://msdn.microsoft.com/en-us/library/ms533046.aspx
    • ExampleRefer: http://msdn.microsoft.com/en-us/library/ms533046.aspx
    • XMLHTTPRequest
    • • getResponseHeader• getAllResponseHeadersRefer: http://ha.ckers.org/blog/20070719/firefox-implements-httponly-and- is-vulnerable-to-xmlhttprequest/
    • Set-Cookie && Set-Cookie2• Set-Cookie defined in RFC 2109• Set-Cookie2 defined in RFC 2965• one & more key-valueRefer: http://www.ietf.org/rfc/rfc2965.txt
    • Fixed Browsers• FireFox• IE• Safari5 && Chrome12• FireFox ban all cookie
    • Test Tool• Robert Hansens HTTPOnly test page now includes set-cookie and set- cookie2 checks for XMLHTTPRequest exposureRefer: http://ha.ckers.org/httponly.cgi.
    • Test Result ie6 ie7 ie8 ie9 chrome firefox safariA not not not not not not not httpOnly httpOnly httpOnly httpOnly httpOnly httpOnly httpOnlyB not not not not no no no httpOnly httpOnly httpOnly httpOnlyA - document,cookieB - xhr api
    • Finally
    • HttpOnly Cookie• Pros• Cons