Chrome developer tools > resources > cookies > http column, does a checkmark here indicate HttpOnly cookie?

Question

Does the checkmark at the Http column of Chrome devtool's Cookie resource panel indicate a HttpOnly cookie?

I can't find docs that confirm this, though I suspect it is the case. I am trying to verify my app is using HttpOnly for session cookies.

Answer 1

Yes. Enter document.cookie in the console, and you'll see that none of the checked cookies are visible.

HTTP = HttpOnly flag, Secure = secure flag.

Answer 2

Yes. Right click on your page or press F12 button. This will open developers tools window. Go to application tab. It'll show as follow :-

Now, typing document.cookie on the tab, you'll see only csrf token being shown.

To specify session cookies to be httpCookie by default, set 'useHttpOnly' attribute in context.xml in tomcat, for java web application. For more information, refer to http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes

Answer 3

So 2 things .

1) HTTP only cookie this name is a bit misleading as we can send HTTPOnly cookie over HTTPS and it works perfectly fine. Main characteristics of HTTP Only cookie is it can't be accessed using JavaScript . In-fact You can't even manually edit this in Chrome's Application tab.

2) So how you can edit HTTP Only cookie ? In chrome You can use extension to edit cookie while development . In production mode there is no way you can adultrate this without man in the middle attack on HTTP connection.

Answer 4

Today (May 2016), googling around for the same reason, I found this question and this page from developers.google.com explaining:

HTTP: If present, indicates that cookies should be used only over HTTP, and JavaScript modification is not allowed.