Firefox 3 to support HttpOnly cookies

HttpOnly cookies are a mechanism Microsoft developed for IE6 SP1 to add some security to cookies. The web developer would set a cookie (for instance the session cookie) to be HttpOnly (both ASP and PHP support setting HttpOnly cookies) and the browser would only ever use that cookie when sending HTTP requests, not when client side scripting asks to read the cookie. This means if there was a cross site scripting flaw on the website the JS wouldn’t be able to use the cookies. The solution isn’t perfect, but it does what it’s meant to do and doesn’t harm anyone.

Support for this is already in the Firefox 3 alphas, if you are inclined to use them, otherwise you’ll have to wait until November or so for the first official ff3 release.

If you are a web developer I suggest you start updating your code to use HttpOnly where applicable.

  • Erlend Oftedal

    Note that a website in IE is actually allowed to write these cookies from javascript even though it can’t read them. Hopefully this will be fixed in IE and never occur in Firefox 3.

  • Jordan

    I blogged a post yesterday making almost the exact same points (linked to in my name). Hopefully people will start including support in their applications. As you said, it never hurts.

  • Sid

    Indeed you did beat me to it.

  • Erlend Oftedal

    From my previous blog entry about httpOnly I also linked to Stefan Esser’s Firefox extension:

  • Erwan Legrand

    XSS allows to do much more than to just steal cookies. XSS gives an attacker almost complete control over the requests sent by the browser. Thus, I don’t see what the point is, really.

    Agreed, adding this feature will not do much harm, but it will not do much good either.

  • Sid

    You are very right that cookie stealing isn’t the only thing people do with XSS, but I do think that it is what most people do. It’s so much easier to steal cookies that to create a site specific way to force the user into a specific action. Of course I have no way to back this up as I don’t have any figures.

    To be honest I think what will be the problem about HttpOnly cookies is that developers won’t use them. I think MySpace uses them, but that’s the only site I can think of that does use them.

  • cathal

    actually this is excellent news, as by default the forms authentication cookie under 2.0 uses the HttpOnly attribute, so this will help secure these. As MySpace runs under 2.0 that’s why you’re seeing it there.

  • Erwan Legrand

    To make it clear, what I meant in my previous comment isn’t that this feature is useless. It isn’t. But it will only be effective against the most uneducated of attackers, i.e. with no programming skill and no knowledge of attack frameworks.

    Nowadays, XSS frameworks are being developped. Hence the cost of building a custom XSS attack is getting lower and lower.

    HttpOnly was a good idea when it was first thought and implemented. Adding this feature now is a bit too late, a kind of rearguard fight.

    Adding funtionnality to web development frameworks to escape output, as I hear was done in .NET, is a much better move I think and this will work no matter what the browser is.

  • Sid

    Cathal: Thanks for that, I didn’t know it was on by default in 2 (I don’t know much at all about asp).

    Erwan: You are right about the whole XSS framework thing. We’ll see how this pans out.

  • Herbert Van Winkle

    This is bad news for black hats. I think this is a good defense. I always thought XSS was pretty lame, now its even less of an impact than ever.

  • Steven Adair

    Well I would say supporting and using HttpOnly is a great idea. Cookie theft is a major issue that should be dealt with where possible. This is not a replacement for secure coding, but is an added layer of security. You can argue that someone can spend days crafting a specific attack for a specific user that doesn’t steal cookies, and this may very well be true. However, being able to stop someone from taking your session cookie and quickly jumping into an application as you — is quite a good thing. (This of course makes the assumption they are capable and their aren’t mitigating factors on the webapp to prevent the session theft). This feature should be support by all clients and used just as much. -Steven

  • amy

    I love to bake however because of my job at narconon I have very little time to do so Is there anyone out there who might have some great recipes that are quick and easy.

  • Amit

    I have a doubt regarding httponly…

    My site works with and without SSL.

    I have set the httponly attribute in web.config file..

    But with the above setting, httponly is assigned to cookie only for non-SSL site and the same does not reflect when the site is accessed with SSL.

    Does anyone have any idea ??