StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHow do HttpOnly cookies work with AJAX requests?
primarykey
Id
27972
data
AcceptedAnswerId
0
AnswerCount
9
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2008-08-26T13:06:14.860
FavoriteCount
73
LastActivityDate
2016-07-16T03:25:29.827
LastEditDate
2010-04-09T13:11:48.090
LastEditorUserId
26
OwnerUserId
26
ParentId
0
PostTypeId
1
Score
178
ViewCount
61862
LastEditorDisplayName
Shawn
text
Body
JavaScript needs access to cookies if AJAX is used on a site with access restrictions based on cookies. Will HttpOnly cookies work on an AJAX site? Edit: Microsoft created a way to prevent XSS attacks by disallowing JavaScript access to cookies if HttpOnly is specified. FireFox later adopted this. So my question is: If you are using AJAX on a site, like StackOverflow, are Http-Only cookies an option? Edit 2: Question 2. If the purpose of HttpOnly is to prevent JavaScript access to cookies, and you can still retrieve the cookies via JavaScript through the XmlHttpRequest Object, what is the point of HttpOnly? Edit 3: Here is a quote from Wikipedia: <blockquote> When the browser receives such a cookie, it is supposed to use it as usual in the following HTTP exchanges, but not to make it visible to client-side scripts.[32] The <code>HttpOnly</code> flag is not part of any standard, and is not implemented in all browsers. Note that there is currently no prevention of reading or writing the session cookie via a XMLHTTPRequest. [33]. </blockquote> I understand that <code>document.cookie</code> is blocked when you use HttpOnly. But it seems that you can still read cookie values in the XMLHttpRequest object, allowing for XSS. How does HttpOnly make you any safer than? By making cookies essentially read only? In your example, I cannot write to your <code>document.cookie</code>, but I can still steal your cookie and post it to my domain using the XMLHttpRequest object. <pre><code><script type="text/javascript"> var req = null; try { req = new XMLHttpRequest(); } catch(e) {} if (!req) try { req = new ActiveXObject("Msxml2.XMLHTTP"); } catch(e) {} if (!req) try { req = new ActiveXObject("Microsoft.XMLHTTP"); } catch(e) {} req.open('GET', 'http://stackoverflow.com/', false); req.send(null); alert(req.getAllResponseHeaders()); </script> </code></pre> Edit 4: Sorry, I meant that you could send the XMLHttpRequest to the StackOverflow domain, and then save the result of getAllResponseHeaders() to a string, regex out the cookie, and then post that to an external domain. It appears that Wikipedia and ha.ckers concur with me on this one, but I would love be re-educated... Final Edit: Ahh, apparently both sites are wrong, this is actually a <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=380418" rel="noreferrer">bug in FireFox</a>. IE6 & 7 are actually the only browsers that currently fully support HttpOnly. To reiterate everything I've learned: <ul> <li>HttpOnly restricts all access to document.cookie in IE7 & and FireFox (not sure about other browsers)</li> <li>HttpOnly removes cookie information from the response headers in XMLHttpObject.getAllResponseHeaders() in IE7.</li> <li>XMLHttpObjects may only be submitted to the domain they originated from, so there is no cross-domain posting of the cookies.</li> </ul> edit: This information is likely no longer up to date.
Tags
<ajax><cookies><httponly>
Title
How do HttpOnly cookies work with AJAX requests?
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USShawn
UserOwnerUserId
1. USShawn
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
2. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
3. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POHow do HttpOnly cookies work with AJAX requests?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POHow do HttpOnly cookies work with AJAX requests?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POHow do HttpOnly cookies work with AJAX requests?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COI threw your example in a greasemonkey script and it looks like FF no longer displays cookies. Excellent research and example.
 singulars
 PostPostId
 POHow do HttpOnly cookies work with AJAX requests?
 UserUserId
 This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.