[web-devel] HttpOnly

Gregory Collins greg at gregorycollins.net
Thu Jun 30 16:27:15 CEST 2011

On Thu, Jun 30, 2011 at 9:58 AM, Michael Snoyman <michael at snoyman.com> wrote:
> Hi all,
> * I recently heard that Snap also uses client-side sessions. If this
> is true, what packages does it use?

We have some prototype stuff that isn't released yet, and I didn't
write it so I don't know much about it.

> * Can anyone think of a downside to setting HttpOnly on session cookies?

No, especially if they are encrypted. In that case, the only use case
for JS to access them is to steal them.

Gregory Collins <greg at gregorycollins.net>

More information about the web-devel mailing list