Need Cookies value on client side with Httponly attribute true

Question

We are setting the parameter httpOnly true in web.xml file to prevent the cookie creation at client side. This is causing the reading the cookies values .we are using the following way to read the JSESSIONID cookie in GWT.

Cookie.getCookie("JSESSIONID");

This returning undefined .If i removing the attribute Httponly=true in web.xml its working fine and returning a cookie.

Can any please suggest a way to get the cookie JSESSIONID cookie with HttpOnly true .

Answer 1

HttpOnly is not what you think it is. Its sole purpose its to tell browsers to specifically not expose the cookie to script, and only use it at the HTTP level.

Nothing can prevent a cookie to be forged by the client. There are a few ways to prevent cross-site request forgery (CSRF) by so-called session fixation attacks, but HttpOnly is not one of them. HttpOnly helps with cross-site scripting (XSS), so that if the page includes a malicious 3rd-party script, it cannot read the cookie to send it to a 3rd-party server —probably to use it later for a session fixation attack, but that's only possible if your site is vulnerable to them—.