Re: [web-devel] HttpOnly

On Thu, Jun 30, 2011 at 10:39 AM, Chris Smith wrote:

On Jun 30, 2011 8:25 AM, "Chris Smith" wrote:

...

The kinds of cookies generated by clientsession are not really vulnerable to cookie-stealing attacks anywa due to the encryption that goes on [...]

On further thought, I'm wrong about this... but the conclusion is the same; those cookies definitely ought to be setting the http-only flag.

Yeah, even if the cookie is an opaque blob it could be vulnerable to time-limited replay attack. Not worth it. G -- Gregory Collins