Reputation: 357
I opened cookie browser for firefox, I noticed that my localhost(php/apache) has a cookie named sessid. But when I tried
document.cookie
in the browser, the result is "", how is that possible?
Upvotes: 3
Views: 2672
Reputation: 34042
Cookies created by some server side application (or PHP) can be marked as httpOnly
. Then these cookies are not visible to javascript on client side, however, the cookies are still transmitted in http(s) requests.
PHP Session cookies are marked as httpOnly
, thus, you cannot access them using document.cookie
.
The reason for this feature was to mitigate some cross-site scripting attacks (cookie stealing).
Upvotes: 4