WebApp Sec mailing list archives

Re: Reviewing security parameters

From: Matt Summers <matt () pd9soft com>
Date: Fri, 16 Apr 2004 17:31:20 -0500

You add this attribute to the cookie in the HTTP response header.
http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp

Mozilla has plans to follow suit.
http://bugzilla.mozilla.org/show_bug.cgi?id=178993


Jared wrote:

On Apr 16, 2004, at 3:01 PM, V. Poddubniy wrote:
Don't forget to set cookie as HttpOnly (this is useful at least for
users of IE 6 SP1). This will tell browser not to tell on-page scrips
(javascript, etc.) the cookie.
how does one do this? I was under the impression that you couldset a cookie to only be sent via HTTPS/SSL, but not with any otherrestrictions.
Is this a feature that is unique to a particular web applicationenvironment, i.e. ASP.Net, PHP, JSP?
cheers,

- Jared

Current thread:

Reviewing security parameters Simon Lemieux (Apr 16)
- Re: Reviewing security parameters Ilya Sher (Apr 16)
- RE: Reviewing security parameters V. Poddubniy (Apr 16)
  - Re: Reviewing security parameters Jared (Apr 16)
    - Re: Reviewing security parameters Matt Summers (Apr 16)
- Re: Reviewing security parameters exon (Apr 16)
- Follow-up: Reviewing security parameters Simon Lemieux (Apr 17)
  - Message not available
    - Re: Follow-up: Reviewing security parameters Simon Lemieux (Apr 21)
- <Possible follow-ups>
- RE: Reviewing security parameters Pitts, Christopher C. (Apr 16)
- RE: Reviewing security parameters Scovetta, Michael V (Apr 16)
- RE: Reviewing security parameters Auri A. Rahimzadeh (Apr 16)