Can secure cookie be read by javascript?

Secure cookies can be read with JavaScript, but HTTPOnly ones cannot. This means that if both flags are set, they cannot be read - the flags are terribly named.

Table of Contents Show

Prevent the use of a cookie on the client side with HttpOnly
Forbid to use a cookie without HTTPs thanks to the Secure flag
Can JavaScript read all cookies?
Can JavaScript set HttpOnly cookie?
How do you test a secure cookie flag?

Secure is to do with transmission - they should only be sent over HTTPS connections - but it is possible to set secure cookies from JS, and there isn't any specific expectation that they cannot be read by JS.

HTTPOnly is to do with client side access - they can't be viewed by JS, but can be sent over HTTP (and HTTPS - I have seen people claiming that they can only be sent over plain HTTP, which is not the case) connections for access by server-side scripts.

In many cases, both flags are set. In that case, the cookie will only be sent over HTTPS connections, and will be inaccessible by client side scripts.

What makes this more complicated is that cookies can have various parameters set, such as the domain and path attributes. If a cookie has the same name as a pre-existing cookie, but different values for any of these flags, a new cookie will be created. By the same token, if a cookie has a domain attribute set, attempting to delete it without including the domain attribute won't work - it deletes the non-existent cookie with the same name and no domain. Oh, and if you have the same domain and path for a secure cookie, and attempt to overwrite it without setting the secure flag, it doesn't create a new cookie, just removes the secure flag and sets the new value - this is a bit counterintuitive given the domain/path behaviour.

In order to delete a cookie from JS, therefore, you need to ensure that you are addressing the correct cookie by both name and flag values, and that it doesn't have HTTPOnly flag set, and that you're on a page with a HTTPS certificate. If any of these are not true, you won't be able to edit/delete it.

A secured cookie is a cookie that works with HTTP/HTTPS, known as a httpOnly cookie. These cookies are only used for HTTP requests, so unethical access though scripting is not possible. Therefore, cross-site scripting can be stopped, which in turn stops attacks.

The secure attribute is always activated for secured cookies, so it is transmitted with encrypted connections, without any hassles and security issues. The httpOnly flag does not give cookie access to JavaScript or any non-HTTP methods. This is situated in the secure cookie header.

The secure attribute and httpOnly flag ensure that the browser does not allow malicious scripts to access to the secure cookie data.

Updated on 30-Jul-2019 22:30:21

Related Questions & Answers
What are cookies in JavaScript?
What records are present in JavaScript cookies?
What are Cookies?
What are cookies in JSP?
What are the differences between JavaScript and PHP cookies?
What are the different cookies methods in Selenium?
How to detect that JavaScript Cookies are disabled?
What is the use of JavaScript cookies?
How to create cookies in JavaScript?
How to delete cookies in JavaScript?
How to set named cookies in JavaScript?
How to set multiple cookies in JavaScript?
How to set cookies expiry date in JavaScript?
How can I store JavaScript objects in cookies?
How to store large data in JavaScript cookies?

Cookies are widely used throughout the Web because they allow publishers to store data directly on the user’s Web browser. They’re particularly used to identify the user’s session, allowing the web server to recognize the user as they navigate through the site, and generally contain sensitive data. You have to properly protect them.

A small reminder: each time a server responds to a request, the HTTP response may contain a Set-Cookie instruction (as an HTTP header) requesting the web browser to create one or more cookies associated to one or more domains. Those cookies store information that will be transmitted in future requests on these domains.

Here is the syntax of such a header:

Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]

Every cookie is identified by its name and store a value. A lifetime (max-age) or an expiry date can be defined, to limit data retention over time. Note that if both attributes are set then the lifetime value (max-age) will prevail.

By default, a cookie is always associated with the location of the current document (domain as well as path) but the Set-Cookie header allows to define custom values to restrict or extend paths to which the cookie will be sent (for example, if a domain is specified, subdomains will be included). Consequently, one of the best practices regarding the security of cookies is to properly manage their scopes.

The last 2 attributes, secure and HttpOnly specifically deal with security. Please note that they do not require any associated value: their very presence is enough for the browser to behave as expected when it comes to the cookie.

A cookie can be set and used over HTTP (communication between a web server and a web browser), but also directly on the web browser via JavaScript.

In an XSS breach case, an attacker could inject malicious Javascript on the page, and potentially access to the cookies that, as a reminder, often contain sensitive information. Needless to say that a website should not have XSS breaches, it’s a major security issue. But it’s hardly possible to make sur to never have one (Content Security Policy can be an additional way to protect your visitor from the exploitation of an XSS attack).
The “HttpOnly” flag blocks the access of the related cookie from the client-side (it can’t be used from Javascript code): if an attacker was to succeed in injecting some javascript despite all your precautions, he won’t be able to access the cookies anyway. That will significantly limit the attack range.

We regularly recommend it on this blog: your website should use HTTPs. If you have already adopted this protocol and applied our previous advice, you may think that your cookies are protected as they can only be transmitted through a secure communication, and neither they can be access throught Javascript (thanks to HttpOnly flag). Unfortunately, a significant issue remains.
What if a user comes to your website via HTTP, for example because he’s typing your URL without mentioning “https://”? This could also happen if your web page contains mixed content.
Setting an HTTP Strict Transport Security (HSTS) header, that will enforce HTTPS usage, will limit the risks for all the upcoming visits, but not for the first one. And all the browsers do not support this header…

Actually, only the Secure attribute will let you forbid a cookie to be ever transmitted over simple HTTP.

The interest of this flag is clearly mentioned in the RFC HTTP State Management Mechanism:

Servers that require a higher level of security SHOULD use the Cookie and Set-Cookie headers only over a secure channel. When using cookies over a secure channel, servers SHOULD set the Secure attribute (see Section 4.1.2.5) for every cookie. If a server does not set the Secure attribute, the protection provided by the secure channel will be largely moot.

Obviously, keep in mind that a cookie using this secure flag won’t be sent in any case on the HTTP version of your website. So be careful if your website still has got both HTTPS and HTTP areas.

Our web page analysis tool will let you ensure at a glance that all of your cookies are secured, by checking if HttpOnly and Secure are properly used!

Can JavaScript read all cookies?

You can access cookie information in javascript using document. cookie function, but you will only be able to read the cookies that are on the same domain that the script is being run.

Answer. A HttpOnly cookie means that it's not available to scripting languages like JavaScript. So in JavaScript absolutely no API available to get/set the HttpOnly attribute of the cookie, as that would otherwise defeat the meaning of HttpOnly .

Press F12, go to the network tab, and then press Start Capturing. Back in IE then open the page you want to view. Back in the F12 window you show see all the individual HTTP requests, select the one that's the page or asset you're checking the cookies on and double click on it.