You are not logged in. Please login or register.
PunBB Forums → Programming → Cookie parameter Httponly, does it work outside MSIE?
Just wondering, if you have an idea of that parameter being implemented on other navigators, since it doesn't belong to the original specification, it wasn't beofre. But times change, and it's a nice way to help protect cookies from xss 
Marc
I have no idea what it is. Perhaps you can enlighten me?
Well, cookies can be read through javascript (try alert(document.cookie); if you want to see it at work), that's one of the ways cookie hijacking happens, if you can insert some script into a website and have the cookie transferred to somewhere else. MS decided that adding another value after the 'secure' that specified that this cookie can only be read through http communications, they would help mitigate xss vulnerability. Which is true, only that they implemented it AFAIK alone, outside the NS cookie specification.
Since I'm not that fan of using several browsers, and my natural market are fully MS oriented, I've been using it for long (in fact, I modified punBB's cookie to send it that as well 
), but I couldn't help noticing that some people here use non-standard browsers (namely, at least firefox), so...
I could write a simple page that tested it, but I am a lazy person, if somebody knows, it's easier asking
Marc
I had no idea there was such a value. It seems like a very simple solution to a big problem.
I can try it in Firefox and Opera if you like. Do you have a test URL?
Yeow, sure, took a while to set it up in a way that you could see the difference...
And now don't come down on me cause that server supports asp only.
My JS response is:
Navigator: Microsoft Internet Explorer
Version: 4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Minor version: ;SP1;Q810847;Q813951;Q813489;Q330994;Q818529;...;
Cookies:
NoHTTPOnly=Visible; ASPSESSIONIDGGGGGGGG=Whatever...
If you can see the httponly cookies, you'll get something like:
NoHTTPOnly=Visible; HTTPOnly=Invisible_for_MSIE; ASPSESSIONIDGGGGGGGG=Whatever...
Marc
PS: I added some extra info on the JS. If your MSIE is not 6.01+, it should display both cookies + the session id.
PPS: Thanks for testing this one
Opera 7.23:
Navigator: Microsoft Internet Explorer Version: 4.0 (compatible; MSIE 6.0; Windows NT 5.1) Minor version: Cookies: ASPSESSIONIDGGGGGGGG=KPDNAGMCDMQSLZIAQKWKESQQPQQQHECE; NoHTTPOnly=Visible; HTTPOnly=Invisible_for_MSIE
Firefox: Nothing :/
Whaddayamean Nothing?
Doesn't it support javascript? The code's nothing fancy, mind you...
Well, I can strip it into two parts, let's see...
try again, if you please :-)
Be warned that this trick *can* be bypassed, but it requires elaborate code using at least two different technologies. But, it's still something to look at, I expect future developments on the matter, if other browsers start implementing this correctly
Ok, first of all. What is supposed to happen exactly?
You receive two cookies on the first load of the page. Since The server cannot read if the cookies were accepted until the page is reloaded, that's why there's a reload button. If you reload, then on the lines below, a description of both cookies should appear:
NoHTTPOnly=Visible
HTTPOnly=Invisible_for_MSIE
Then, pressing any of the other buttons, you should see either that the invisible label becomes visible with info similar to that one provided by opera, or that it appears on a popup. I don't have *any* experience with firefox, so I can't tell, although I've DLed it, I'm not that eager to install more soft on this machine, so I'll probably start up the linux box and test it there.
The thing is, if you're using MSIE6.01 or superior, the cookies that include HttpOnly cannot be read from a script within the page, thus making them in theory invulnerable to xss cookie hijacking. I say in theory, cause you could create a java applet that accessed directly the page and stole the whole http headers, but then the site must already be xss vulnerable, as usual. Somebody mentioned a combination of flash, java and a script could in theory allow you to steal the cookie, so this new behavior of the navigator is not a panacea, but it's a first step, which makes it much harder to properly abuse an xss vulnerability. But not impossible. Navigators that don't support the httponly tag, should degrade gracefully and have no further problems (but no special immunity also) whatsoever.
Fiu, whether it works or not, you can't say I didn't write about it
Marc
Ok, now I understand. I just got lost in all the buttons. One button would have been enough :)
In Firefox, the only thing that is visible is the ASPSESSIONID thingy. NoHTTPOnly and HTTPOnly are not displayed (neither on the page itself or in the alert box). Also, the "Click to see JS available cookies on this page" button doesn't work. Nothing happens when I click it.
In Opera 7.23 all the variables are displayed. That is, it doesn't support HTTPOnly.
Here are screenshots of the results:
Well, I guess that settles it: Firefox doesn't "degrade gracefully", and opera does but doesn't support the standard modification.
So it's still a very MSIE-only like thing 
Well, it'll have to do
Tak!
Marc
Tak!
That's danish :)
Ehhh ¿sorry?
It sounded like that when I heard it... now I'm not so sure *where* I heard it. I couldn't understand half of what she said anyway... like it would have made a difference
The other word I *thought* I knew was 'Hej', now if you tell me that's Norwegian or Icelandic... I'll go buy that dictionary
I actually think hej is swedish, danish and norwegian.
Those are the words I like!
But you made me look after that one... and man, it's sooooo different... Tack... well, not that bad a choice, I never saw it written, just heard it. And thanks god it didn't have one of those strange as with an o on top... which sound similar but not quite like the german ä...
Oh, well, looky what I found here...
The Swedish for ONION is LÖK (LOOK)
Imagine you look like an onion.
The Swedish for CAKE is TARTA (TORTA)
Imagine your daughter eating cake.
The Swedish for MUSHROOM is SVAMP (SVAMP)
Imagine a large mushroom growing in a swamp.
The Swedish for MEAT is KÖTT (SHUT)
Imagine you shut the door on someone throwing meat at you.
The Swedish for SUGAR is SOCKER (SOCCER)
Imagine a game of soccer on a field of sugar.
The Swedish for WATER is VATTEN (VATTA)
Imagine you get fatter with water.
The Swedish for SOUP is SOPPA (SOPA)
Imagine soup that tastes like soap.
So I guess swedish soup is not that good <lol>
Hahaha
I actually think hej is swedish, danish and norwegian.
"Hei" is Norwegian
PunBB Forums → Programming → Cookie parameter Httponly, does it work outside MSIE?
Powered by PunBB, supported by Informer Technologies, Inc.