Prevent cookies from being viewed/obtained with javascript

Asked

Viewed 447 times

9

I was reading an article and I found curious a sentence of this, where the author makes a list (right in the first paragraphs of the article) of the main safety care that we developers should take into account.

The phrase in question is:

Create secure cookies that only work via HTTPS and are not accessed by Javascript;

My question arises in this part, what are cookies that "are not accessed by javascript"?

In my own experience I have never had any problem with client-side operations involving cookies because of this or similar reason.

Obviously speaking in http context + browser (http + browser).

Since these cookies are in our browser what prevents us from obtaining them? Is there a cookie/session that is not currently on document.cookie? Or even simply seeing the requisition headers (always have to be present here right?)?

I also hypothesize that the author made a mistake and didn’t want to say this well.

  • Good question, I do not remember seeing this type of cookie while programming WEB

  • I confess that I am inclined to have been a mistake on the part of the author @Paulohdsousa, but I would like to be sure

  • I had even responded and after I sent I stopped to read again. I figured you were talking about httpOnly.

  • Hello @Aline I got to read your answer, but I was in the car and I couldn’t say anything until now. I edited the question, but basically there is some kind of cookie/session that is not in Document.cookie? If yes, you can add to your answer a way of doing it sff?

  • If it is in PHP, you have an option in php.ini: session.cookie_secure = 0 which may be amended to session.cookie_secure = 1. But you can only create a session under https.

  • The question is not about the Heal @Maurivan parameter, but about httponly (who had no idea), never happened to have to get these cookies in javascript

  • Well, then I’ll just reverse the exclusion. aheuha =)

Show 2 more comments

3 answers

5


[...] what are cookies that "are not accessed by javascript"?

Are cookies created with the marker HttpOnly, which should be matched with the marker Secure. For example:

COOKIEKEY=COOKIEVAL;HttpOnly;Secure

The marker Secure indicates that the cookie can only be transited on secure connections (https).

The marker HttpOnly causes the content of the cookie to not be made available to the Javascript engine, being only transited in the HTTP request header.

Some ancient browsers did not respect, or incorrectly implement, the marker interpretation HttpOnly. All current versions of the most commonly used browsers respect the implementation. The following table (source) indicates compatibility and functionality for versions prior to 2011:

inserir a descrição da imagem aqui

  • 2

    It’s time for the OS to have tables, I know you have a strong argument, but I think all communities have enough members to edit and correct possible formatting flaws. + 1

  • @Guilhermenascimento as it is. I miss using tables to display... tabular data.

  • 1

    Ha was also responding at the same time Onosendai, hehe. Thank you for the reply

  • 1

    @Onosendai their "strong argument" is this https://meta.stackexchange.com/a/228464/198279, for my part I find it an exaggeration that they think so, after all it is for that it is allowed to edit anything. I would very much like them to see this from another now.

3

With the help of a colleague from here who indicated a path where to start, I found out and even liked knowing that yes, it is possible to obfuscate and prevent a cookie from being read/obtained by applets or scripting Languages, as javascript.

Heed: will never be invisible to us headers request/response, it is only a command so that the browser does not provide the information in a way that is easily manipulated.

Having said that here is an example with this type of cookie in php:

<?php
$_SESSION['sess'] = '123';
setcookie('visible', 'Eu sou visto', time()+500, '', '', false, false);
setcookie('invisible', 'Eu nao sou visto', time()+500, '', '', false, true);
?>
<script>
alert(document.cookie);
</script>

This is enough to test,

attention to the last argument, called httponly, this by default is false, but in this last cookie we put it as true and this is precisely the cookie that we will not be able to "see" with javascript.

If you want to apply to session:

ini_set('session.cookie_httponly', 1);

With Asp.net the way to write a cookie of this kind (the proefficient colleagues in this technology feel free to edit, I may be doing some nonsense):

private static HttpCookie CreateSessionCookie(string id)
{
    HttpCookie cookie = new HttpCookie(Config.CookieName, id);
    cookie.Path = "/";
    cookie.HttpOnly = true;   // <-- burned in
    return cookie;
}

Source of the latter

Screenshot of the test done (first example of the answer, php) for those who do not want to test:

inserir a descrição da imagem aqui

0

Not only is it possible but it is strongly suggested. Of course, depending on how you will use it and what you intend to store.

When you set a cookie with: httpOnly, it means that only the server has access to this information, that is, it is not possible to recover it through js. Doesn’t it seem safe? Since your information is already available right there? If you intend to add information that people shouldn’t have access to, it may be encrypted and the cookie is only acting as a local repository.

This technique is quite simple and stops most XSS-based cookie problems, as stackoverflow well knows, about one of the most famous problems related to this.

More can be read on: https://blog.codinghorror.com/protecting-your-cookies-httponly/

Browser other questions tagged

You are not signed in. Login or sign up in order to post.