Google Site Search


Sunday, November 18, 2007

HTTPOnly Cookies

To mitigate cross site scripting dangers, Microsoft pioneered the usage of HTTPOnly cookies.

One of the more common security problems plaguing Web servers is cross-site scripting. Cross-site scripting is a server-side vulnerability that is often created when rendering user input as HTML. Cross-site scripting attacks can expose sensitive information about the users of the Web site. In order to help mitigate the risk of cross-site scripting, a new feature has been introduced in Microsoft Internet Explorer 6. This feature is a new attribute for cookies which prevents them from being accessed through client-side script. A cookie with this attribute is called an HTTP-only cookie. Any information contained in an HTTP-only cookie is less likely to be disclosed to a hacker or a malicious Web site. The following example is a header that sets an HTTP-only cookie.

The cookie looks like:
Set-Cookie: USER=123; expires=Wednesday, 09-Nov-09 13:12:10 GMT; HttpOnly

This is certainly a positive step. Now Firefox (V3) has agreed to support HTTPOnly cookies. Opera (v9.5 onwards) also is going to have support for HTTPOnly cookies.

According to Johnathan Nightingale of Mozilla (over email), "This allows site authors to specify that certain cookies, e.g. session tracking cookies or those with otherwise sensitive information, be available only as part of the http request, and not accessible to script. This is opt-in, but it has the advantage that the user is protected without a need to involve them in the decision process. It also preserves the innocent cases of script-based cookie manipulation where no sensitive information is involved."

As far as I know, there is no support for configuration of cookies to be HttpOnly in Apache Tomcat. What you can probably do is create a tomcat valve, which on the return path pumps in the HttpOnly cookies via the header.

response.setHeader("Set-Cookie", something=" + value + "; HttpOnly");

UPDATE (25 SEPT 2008): There is HttpOnly support being included in the Servlet 3.0 specification, which will probably approved soon. This will make Tomcat/JBossWeb to support it asap. Check Rajiv Mordani's post.

1 comment:

Jim Manico said...

Please see for efforts underway for Tomcat HttpOnly support.