WebApp Sec mailing list archives
Re: Reviewing security parameters
From: Matt Summers <matt () pd9soft com>
Date: Fri, 16 Apr 2004 17:31:20 -0500
You add this attribute to the cookie in the HTTP response header. http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp Mozilla has plans to follow suit. http://bugzilla.mozilla.org/show_bug.cgi?id=178993 Jared wrote:
On Apr 16, 2004, at 3:01 PM, V. Poddubniy wrote:Don't forget to set cookie as HttpOnly (this is useful at least for users of IE 6 SP1). This will tell browser not to tell on-page scrips (javascript, etc.) the cookie.how does one do this? I was under the impression that you could set a cookie to only be sent via HTTPS/SSL, but not with any other restrictions.Is this a feature that is unique to a particular web application environment, i.e. ASP.Net, PHP, JSP?cheers, - Jared
Current thread:
- Reviewing security parameters Simon Lemieux (Apr 16)
- Re: Reviewing security parameters Ilya Sher (Apr 16)
- RE: Reviewing security parameters V. Poddubniy (Apr 16)
- Re: Reviewing security parameters Jared (Apr 16)
- Re: Reviewing security parameters Matt Summers (Apr 16)
- Re: Reviewing security parameters Jared (Apr 16)
- Re: Reviewing security parameters exon (Apr 16)
- Follow-up: Reviewing security parameters Simon Lemieux (Apr 17)
- Message not available
- Re: Follow-up: Reviewing security parameters Simon Lemieux (Apr 21)
- Message not available
- <Possible follow-ups>
- RE: Reviewing security parameters Pitts, Christopher C. (Apr 16)
- RE: Reviewing security parameters Scovetta, Michael V (Apr 16)
- RE: Reviewing security parameters Auri A. Rahimzadeh (Apr 16)