[web-devel] HttpOnly
Gregory Collins
greg at gregorycollins.net
Thu Jun 30 16:27:15 CEST 2011
On Thu, Jun 30, 2011 at 9:58 AM, Michael Snoyman <michael at snoyman.com> wrote:
> Hi all,
>
> * I recently heard that Snap also uses client-side sessions. If this
> is true, what packages does it use?
We have some prototype stuff that isn't released yet, and I didn't
write it so I don't know much about it.
> * Can anyone think of a downside to setting HttpOnly on session cookies?
No, especially if they are encrypted. In that case, the only use case
for JS to access them is to steal them.
G
--
Gregory Collins <greg at gregorycollins.net>
More information about the web-devel
mailing list