Http only cookie


Published on


Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Http only cookie

  1. 1. HttpOnly CookieSomething You Don’t Know About HTTP RDSS Team 2012-04
  2. 2. Author 兰七
  3. 3. AboutRDSSResearch on Domain Specific SolutionWe focus on existed specification, solution, production etc.We put our research into practice.
  4. 4. Contents• Cookie Definition• HttpOnly Cookie• Browsers Supporting• Cross-site Scripting• XMLHTTPRequest• Finally
  5. 5. Cookie Definition
  6. 6. • A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a piece of data stored by a website within a browser, and then subsequently sent back to the same website by the browserRefer: 6
  7. 7. HttpOnly Cookie
  8. 8. Definition• HttpOnly is an additional flag included in a Set-Cookie HTTP response HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests.Refer:
  9. 9. Born • HttpOnly cookies were first implemented in 2002 by Microsoft Internet Explorer developers for Internet Explorer 6 SP1Refer: 9 3F
  10. 10. Feather • restricting access from other non- HTTP APIs (such as JavaScript). • restriction mitigates but does not eliminate the threat of session cookie theft via cross-site scripting (XSS).Refer: 10 3F
  11. 11. Syntax • Set-Cookie: USER(key)=123(value); expires=Wednesday, 09-Nov-99 23:12:40 GMT; HttpOnlyRefer: 11 3F
  12. 12. Set httpOnly Using PHP• Permanently. session.cookie_httponly = True (in php.iniPHP)• Setcookie("testcookie", $value, time()+3600, "/", "", 0 , 1);Refer: 12
  13. 13. Browsers Supporting
  14. 14. Support • the cookie cannot be accessed through client side script, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.Refer: 3F
  15. 15. NOT Support • The HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. – document.cookieRefer: 3F
  16. 16. Browsers Supporting HttpOnly Cookie ie6 ie7 ie8 ie9 chrome firefox safari prevent write yes yes yes yes yes yes yes prevent read yes yes yes yes yes yes YesRefer: 3F
  17. 17. Refer:
  18. 18. WebGoatRefer:
  19. 19. Cross-Site Scripting
  20. 20. Browser• is a server-side vulnerability that is often created when rendering user input as html.• e.g. expose sensitive information about users of the web siteRefer:
  21. 21. ExampleRefer:
  22. 22. XMLHTTPRequest
  23. 23. • getResponseHeader• getAllResponseHeadersRefer: is-vulnerable-to-xmlhttprequest/
  24. 24. Set-Cookie && Set-Cookie2• Set-Cookie defined in RFC 2109• Set-Cookie2 defined in RFC 2965• one & more key-valueRefer:
  25. 25. Fixed Browsers• FireFox• IE• Safari5 && Chrome12• FireFox ban all cookie
  26. 26. Test Tool• Robert Hansens HTTPOnly test page now includes set-cookie and set- cookie2 checks for XMLHTTPRequest exposureRefer:
  27. 27. Test Result ie6 ie7 ie8 ie9 chrome firefox safariA not not not not not not not httpOnly httpOnly httpOnly httpOnly httpOnly httpOnly httpOnlyB not not not not no no no httpOnly httpOnly httpOnly httpOnlyA - document,cookieB - xhr api
  28. 28. Finally
  29. 29. HttpOnly Cookie• Pros• Cons