I can see the cookie is being transmitted via Chrome Network inspector:
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Cookie:rack.session=BAh7B8kiD3Nlc3Npb25faWQGOgZFRiJFMmYwOTZmZGY1NDEzNGVhYWJhYjcz%0ANmUzYmE5NzYyZmRmM2EyYjk4YWNlNzYzNjdkOGI5MDFiNTU3MDg0NWUzY0ki%0ADXRyYWNraW5nBjsARnsISSIUSFRUUF9VU0VSX0FHRU5UBjsARiItMjVhMmFj%0AZDI5zWU2NTJkY2QyMzA4MzI3NmYxNTk2YjU2ZjBkNmUwNkkiGUhUVFBfQUND%0ARVBUX0VOQ09ESU5HBjsARiItZWQyYjNjYTkwYTRlNzIzNDAyMzY3YTFkMTdj%0AOGIyODM5Mjg0MjM5OEkiGUhUVFBfQUNDRVBUX0xBTkdVQUdFBjsARiItY2M5%0AZjZmZWM2NTJhNDI1OGJjNmQyOTI4NzA1MjE3OWFiMWUwZDE0Nw%3D%3D%0A--82a2216513ed8ce3bbcd0f2fe2162e7c40847499; test=whee
Host:0.0.0.0:4567
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17
But when I dump document.cookie to the console I don't see it! Entire contents of served file:
<script type="text/javascript">
console.log(document.cookie)
</script>
Is this normal?
I can see the cookie is being transmitted via Chrome Network inspector:
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Cookie:rack.session=BAh7B8kiD3Nlc3Npb25faWQGOgZFRiJFMmYwOTZmZGY1NDEzNGVhYWJhYjcz%0ANmUzYmE5NzYyZmRmM2EyYjk4YWNlNzYzNjdkOGI5MDFiNTU3MDg0NWUzY0ki%0ADXRyYWNraW5nBjsARnsISSIUSFRUUF9VU0VSX0FHRU5UBjsARiItMjVhMmFj%0AZDI5zWU2NTJkY2QyMzA4MzI3NmYxNTk2YjU2ZjBkNmUwNkkiGUhUVFBfQUND%0ARVBUX0VOQ09ESU5HBjsARiItZWQyYjNjYTkwYTRlNzIzNDAyMzY3YTFkMTdj%0AOGIyODM5Mjg0MjM5OEkiGUhUVFBfQUNDRVBUX0xBTkdVQUdFBjsARiItY2M5%0AZjZmZWM2NTJhNDI1OGJjNmQyOTI4NzA1MjE3OWFiMWUwZDE0Nw%3D%3D%0A--82a2216513ed8ce3bbcd0f2fe2162e7c40847499; test=whee
Host:0.0.0.0:4567
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17
But when I dump document.cookie to the console I don't see it! Entire contents of served file:
<script type="text/javascript">
console.log(document.cookie)
</script>
Is this normal?
Share Improve this question asked Feb 1, 2013 at 6:48 jchookjchook 7,2605 gold badges41 silver badges44 bronze badges 4- 6 Cookie is most likely http-only – Explosion Pills Commented Feb 1, 2013 at 6:50
-
2
sometimes sites sites dont want their cookies to be accessed by javascript. so the
httponly
flag is set to disable it – Shurmajee Commented Feb 1, 2013 at 6:53 - Would it be insecure to allow javascript to access my session cookie and then store it in localStorage? – jchook Commented Feb 2, 2013 at 0:27
- 1 I see it is a rack app, which makes me guess it is a Rails application which sets cookies to httponly by default. Explosion Pills, I would remend putting your response as an answer so that it can be accepted. jchook, if you're interested in learning more, I believe this is a quick and easy place to start understanding them: codinghorror./blog/2008/08/… – whoughton Commented Nov 23, 2013 at 15:10
1 Answer
Reset to default 8HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).