Partner with experts to accelerate your digital transformation journey
Bobcares

What Happens When Cookies Are Set with the HttpOnly Attribute?

PDF Header PDF Footer

Learn why Cookies are set with the HttpOnly Attribute. Our IIS Support team is here to assist you with any questions or concerns you may have.

What Happens When Cookies Are Set with the HttpOnly Attribute

What Happens When Cookies Are Set with the HttpOnly AttributeSession cookies are often targeted in attacks, making their protection vital for any secure web app.
This is where the `HttpOnly` attribute shines. Let’s dive into what this means, why it matters, and how to implement it effectively.

An Introduction to the `HttpOnly` Attribute

The `HttpOnly` attribute is a flag used in HTTP response headers to instruct the browser that a cookie should not be accessible via client-side scripts such as JavaScript. When this attribute is applied to a cookie, it becomes readable only by the server. This simple restriction can reduce the risk of cross-site scripting (XSS) attacks, which can lead to session hijacking.

For example:

Set-Cookie: sessionId=abc123; HttpOnly; Path=/

In the example above, the `HttpOnly` flag ensures that the `sessionId` cookie cannot be accessed using `document.cookie` or any other client-side method.

What Makes HttpOnly Cookies So Useful?

Cookies often store sensitive data such as session IDs or authentication tokens. If these cookies are accessible via JavaScript, they become easy targets for XSS attacks. Once a malicious script retrieves a user’s session cookie, it can send that data to an attacker’s server, allowing them to impersonate the user.

By setting the `HttpOnly` attribute:

  • Cookies become inaccessible to scripts running in the browser.
  • Attackers are unable to steal session data using client-side exploits.
  • The overall attack surface for session hijacking is significantly reduced.

If you’re troubleshooting issues related to authentication, like HTTP Error 401.3 – Unauthorized, it’s worth verifying how cookies are handled in your IIS configuration. Learn more about fixing HTTP Error 401.3 in IIS.

How to Enable `HttpOnly` in ASP.NET (IIS)

If we are using ASP.NET, we can configure the application to automatically set the `HttpOnly` flag on all cookies by modifying the `web.config` file.

  1. First, locate and open the application’s `web.config` file.
  2. Then, add the following line inside the “ section:

    <configuration>
    <system.web>
    <httpCookies httpOnlyCookies="true" />
    </system.web>>
    </configuration>

Setting the `httpOnlyCookies` attribute to `true` ensures that all cookies created by our application will include the `HttpOnly` flag.

While all modern browsers support the `HttpOnly` attribute, older browsers might ignore it or treat such cookies as regular ones.

If you’re configuring other aspects of IIS, like dealing with non-working redirects or rewriting URLs while maintaining query strings, these guides may help:

HttpOnly in Java Web Applications

For Java web applications, especially those using JSP or Servlets, session cookies (such as `JSESSIONID`) are typically created by the container. The ability to set the `HttpOnly` attribute on these cookies depends on the container you are using (e.g., Tomcat, Jetty, etc.).

Here are some key points:

  • `HttpOnly` cookies must be set by the server.
  • They cannot be created or modified via JavaScript.
  • Container-specific configuration or filters may be required to enforce the `HttpOnly` attribute on session cookies.

Here’s a conceptual example of setting a cookie with `HttpOnly` in Java:


Cookie cookie = new Cookie("sessionId", "abc123");
cookie.setHttpOnly(true);
response.addCookie(cookie);
Encountering a “Service Unavailable” error? This might indicate an issue with the application pool. Learn how to fix IIS HTTP Error 503 – The service is unavailable.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

Setting the `HttpOnly` attribute is a best practice for securing session data and defending against client-side attacks. It adds an essential layer of protection to our application’s authentication mechanism.

In brief, our Support Experts demonstrated the numerous security benefits of setting cookies with the HttpOnly attribute.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Get featured on the Bobcares blog and share your expertise with a global tech audience.

WRITE FOR US
server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Speed issues driving customers away?
We’ve got your back!

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF