Is HttpOnly necessary when SSL is already set?

security ssl httponly
ysp80 picture ysp80 · Dec 23, 2011 · Viewed 8.3k times · Source

If I already set SSL for my application server, do I still need to set HttpOnly for the cookies?

Answer

Thilo picture Thilo · Dec 23, 2011

Yes. The two flags have nothing to do with each other (both are security/privacy options, though)

  • "Secure" means that the cookie will only be sent over encrypted connections

  • "HttpOnly" means that the cookie will not be visible to Javascript

You could still have XSS on an HTTPS page, for example (and then an evil script could eat your cookie).

Related questions

Default SecurityProtocol in .NET 4.5

What is the default security protocol for communicating with servers that support up to TLS 1.2? Will .NET by default, choose the highest security protocol supported on the server side or do I have to explicitly add this line of code: …

Read More
SSL Error: unable to get local issuer certificate

I'm having trouble configuring SSL on a Debian 6.0 32bit server. I'm relatively new with SSL so please bear with me. I'm including as much information as I can. Note: The true domain name has been changed to protect the identity …

Read More
Keystore type: which one to use?

By looking at the file java.security of my JRE, I see that the keystore type to use by default is set to JKS. Here, there is a list of the keystore types that can be used. Is there a …

Read More