Is HttpOnly necessary when SSL is already set?
https://stackoverflow.com/questions/8611871
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
If I already set SSL for my application server, do I still need to set HttpOnly for the cookies?
La solution
Yes. The two flags have nothing to do with each other (both are security/privacy options, though)
"Secure" means that the cookie will only be sent over encrypted connections
"HttpOnly" means that the cookie will not be visible to Javascript
You could still have XSS on an HTTPS page, for example (and then an evil script could eat your cookie).
Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
