Security Information Vulnerability Research Security Blog

Firefox 3 to support HttpOnly cookies

March 19th, 2007 by Sid, Filed under: Web, Microsoft

HttpOnly cookies are a mechanism Microsoft developed for IE6 SP1 to add some security to cookies. The web developer would set a cookie (for instance the session cookie) to be HttpOnly (both ASP and PHP support setting HttpOnly cookies) and the browser would only ever use that cookie when sending HTTP requests, not when client side scripting asks to read the cookie. This means if there was a cross site scripting flaw on the website the JS wouldn’t be able to use the cookies. The solution isn’t perfect, but it does what it’s meant to do and doesn’t harm anyone.

Support for this is already in the Firefox 3 alphas, if you are inclined to use them, otherwise you’ll have to wait until November or so for the first official ff3 release.

If you are a web developer I suggest you start updating your code to use HttpOnly where applicable.

DiggRedditSlashdotTwitThisSphinnStumbleUpondel.icio.usFacebookGoogleTechnoratiE-mail this story to a friend!

-

Is your site safe from XSS Attacks? Sign up for Automated Vulnerability Detection Service today!

12 Comments:

  1. Erlend Oftedal, on March 19th, 2007 at 1:23 pm Said:

    Note that a website in IE is actually allowed to write these cookies from javascript even though it can’t read them. Hopefully this will be fixed in IE and never occur in Firefox 3.

  2. Jordan, on March 19th, 2007 at 7:11 pm Said:

    I blogged a post yesterday making almost the exact same points (linked to in my name). Hopefully people will start including support in their applications. As you said, it never hurts.

  3. Sid, on March 19th, 2007 at 7:29 pm Said:

    Indeed you did beat me to it.

  4. Erlend Oftedal, on March 20th, 2007 at 7:22 am Said:

    From my previous blog entry about httpOnly I also linked to Stefan Esser’s Firefox extension:
    https://addons.mozilla.org/firefox/3629/

  5. Erwan Legrand, on March 20th, 2007 at 4:29 pm Said:

    XSS allows to do much more than to just steal cookies. XSS gives an attacker almost complete control over the requests sent by the browser. Thus, I don’t see what the point is, really.

    Agreed, adding this feature will not do much harm, but it will not do much good either.

  6. Sid, on March 20th, 2007 at 7:34 pm Said:

    You are very right that cookie stealing isn’t the only thing people do with XSS, but I do think that it is what most people do. It’s so much easier to steal cookies that to create a site specific way to force the user into a specific action. Of course I have no way to back this up as I don’t have any figures.

    To be honest I think what will be the problem about HttpOnly cookies is that developers won’t use them. I think MySpace uses them, but that’s the only site I can think of that does use them.

  7. cathal, on March 22nd, 2007 at 2:41 am Said:

    actually this is excellent news, as by default the forms authentication cookie under asp.net 2.0 uses the HttpOnly attribute, so this will help secure these. As MySpace runs under asp.net 2.0 that’s why you’re seeing it there.

  8. Erwan Legrand, on March 22nd, 2007 at 11:23 am Said:

    To make it clear, what I meant in my previous comment isn’t that this feature is useless. It isn’t. But it will only be effective against the most uneducated of attackers, i.e. with no programming skill and no knowledge of attack frameworks.

    Nowadays, XSS frameworks are being developped. Hence the cost of building a custom XSS attack is getting lower and lower.

    HttpOnly was a good idea when it was first thought and implemented. Adding this feature now is a bit too late, a kind of rearguard fight.

    Adding funtionnality to web development frameworks to escape output, as I hear was done in .NET, is a much better move I think and this will work no matter what the browser is.

  9. Sid, on March 22nd, 2007 at 1:31 pm Said:

    Cathal: Thanks for that, I didn’t know it was on by default in asp.net 2 (I don’t know much at all about asp).

    Erwan: You are right about the whole XSS framework thing. We’ll see how this pans out.

  10. Herbert Van Winkle, on March 24th, 2007 at 10:16 pm Said:

    This is bad news for black hats. I think this is a good defense. I always thought XSS was pretty lame, now its even less of an impact than ever.

  11. Steven Adair, on April 12th, 2007 at 6:56 pm Said:

    Well I would say supporting and using HttpOnly is a great idea. Cookie theft is a major issue that should be dealt with where possible. This is not a replacement for secure coding, but is an added layer of security. You can argue that someone can spend days crafting a specific attack for a specific user that doesn’t steal cookies, and this may very well be true. However, being able to stop someone from taking your session cookie and quickly jumping into an application as you — is quite a good thing. (This of course makes the assumption they are capable and their aren’t mitigating factors on the webapp to prevent the session theft). This feature should be support by all clients and used just as much. -Steven

  12. amy, on November 27th, 2009 at 8:12 pm Said:

    I love to bake however because of my job at narconon I have very little time to do so Is there anyone out there who might have some great recipes that are quick and easy.

Leave a Comment

Security RSS Subscribe


Vulnerability Scanner