user3015541
user3015541

Reputation: 357

Hide cookies from document.cookie

I opened cookie browser for firefox, I noticed that my localhost(php/apache) has a cookie named sessid. But when I tried

document.cookie

in the browser, the result is "", how is that possible?

Upvotes: 3

Views: 2672

Answers (1)

MrTux
MrTux

Reputation: 34042

Cookies created by some server side application (or PHP) can be marked as httpOnly. Then these cookies are not visible to javascript on client side, however, the cookies are still transmitted in http(s) requests.

PHP Session cookies are marked as httpOnly, thus, you cannot access them using document.cookie.

The reason for this feature was to mitigate some cross-site scripting attacks (cookie stealing).

Upvotes: 4

Related Questions