[web-devel] HttpOnly

Gregory Collins greg at gregorycollins.net
Thu Jun 30 17:56:27 CEST 2011

On Thu, Jun 30, 2011 at 10:39 AM, Chris Smith <cdsmith at gmail.com> wrote:
> On Jun 30, 2011 8:25 AM, "Chris Smith" <cdsmith at gmail.com> wrote:
>> The kinds of cookies generated by clientsession are not really vulnerable
>> to
>> cookie-stealing attacks anywa due to the encryption that goes on [...]
> On further thought, I'm wrong about this... but the conclusion is the same;
> those cookies definitely ought to be setting the http-only flag.

Yeah, even if the cookie is an opaque blob it could be vulnerable to
time-limited replay attack. Not worth it.

Gregory Collins <greg at gregorycollins.net>

More information about the web-devel mailing list