Firefox 3 to support HttpOnly cookies

HttpOnly cookies are a mechanism Microsoft developed for IE6 SP1 to add some security to cookies. The web developer would set a cookie (for instance the session cookie) to be HttpOnly (both ASP and PHP support setting HttpOnly cookies) and the browser would only ever use that cookie when sending HTTP requests, not when client side scripting asks to read the cookie. This means if there was a cross site scripting flaw on the website the JS wouldn’t be able to use the cookies. The solution isn’t perfect, but it does what it’s meant to do and doesn’t harm anyone.

Support for this is already in the Firefox 3 alphas, if you are inclined to use them, otherwise you’ll have to wait until November or so for the first official ff3 release.

If you are a web developer I suggest you start updating your code to use HttpOnly where applicable.

Accidental backdoor by ISP [updated x2]

Now I have full access to FTP in to their routers even if they have changed their passwords, I have full read and write access to things from DNS details to DMZ settings, from Wifi passwords to VPN keys. I can then upload the new file back to their router, log into it’s telnet daemon and load the new settings file.

Read More