Reputation: 5858
Are my cookies really HTTP only? Flag is absent in Cookie request header
Ive made some configurations to (finally) have my cookies set on HTTP only.
"Seem" to work.
Ive tried them with postman and I have the following:
When I hit the login page:
On the cookies section, my cookie with name JSESSIONID appears to be HTTP only (it has the check)
When I enter to the logged area , the same result...
The headers dont give me more details.
Then,
I check it with google chrome. I open the developers toolbar.
I load the login page.
At the headers on the response headers I get
Set-Cookie: JSESSIONID=434434..... HttpOnly
So, its fine (I guess).
Then I reload the page (or sign in).
Then the problem:
No response headers received.
The Request Headers brings my cookie (with the same ID at then the previous one) without the httponly, host info or any other cookie value I set before.
At the cookies tab I get Request Cookies only and no Response cookie.
And the request cookie is non http-only
At my resources tab, the Cookie is there, as HTTP only and with the previous values I set.
My question now is... Is it a really http-only cookie? Or my configuration is not properly set?
Should I always get the response cookie or the request cookie should be always http-only (In case I am trying to set it as http-only) or is this behavior normal (or at least accepted) ?
When I try to print my cookie with Javascript at both scenarios I get a null as response (what makes me think then it is correct).
Ideas?
Upvotes: 2
Views: 2932
Answers (1)
Reputation: 1108742
Client doesn't send cookie attributes other than name and value back to server.
See also RFC6265 section 4.2.2 (emphasis mine).
4.2.2. Semantics
Each cookie-pair represents a cookie stored by the user agent. The cookie-pair contains the cookie-name and cookie-value the user agent received in the Set-Cookie header.
Notice that the cookie attributes are not returned. In particular, the server cannot determine from the Cookie header alone when a cookie will expire, for which hosts the cookie is valid, for which paths the cookie is valid, or whether the cookie was set with the Secure or HttpOnly attributes.
Everything's behaving as specified.
Upvotes: 2
Related Questions
- How to use java.net.URLConnection to fire and handle HTTP requests
- Are HTTP cookies port specific?
- "Cross origin requests are only supported for HTTP." error when loading a local file
- How are parameters sent in an HTTP POST request?
- Why is it common to put CSRF prevention tokens in cookies?
- Use of PUT vs PATCH methods in REST API real life scenarios
- Response to preflight request doesn't pass access control check - No 'Access-Control-Allow-Origin' header
- Set cookies for cross origin requests
- Cookie blocked/not saved in IFRAME in Internet Explorer
- How do HttpOnly cookies work with AJAX requests?