Via Securiteam Blog -
HttpOnly cookies are a mechanism Microsoft developed for IE6 SP1 to add some security to cookies. The web developer would set a cookie (for instance the session cookie) to be HttpOnly (both ASP and PHP support setting HttpOnly cookies) and the browser would only ever use that cookie when sending HTTP requests, not when client side scripting asks to read the cookie. This means if there was a cross site scripting flaw on the website the JS wouldn’t be able to use the cookies. The solution isn’t perfect, but it does what it’s meant to do and doesn’t harm anyone.
Support for this is already in the Firefox 3 alphas, if you are inclined to use them, otherwise you’ll have to wait until November or so for the first official ff3 release.
If you are a web developer I suggest you start updating your code to use HttpOnly where applicable.
---------------------------------------------
Microsoft MSDN - Mitigating Cross-site Scripting With HTTP-only Cookies
I guess it is only a matter of time before Opera supports them as well....
No comments:
Post a Comment