Cross-site scripting attacks to steal authentication cookies is one of the biggest security problems plaguing the web today. Jeff Atwood argues that a lot more protection could be offered by the cheap and simple means of setting all cookies to HTTPOnly:
HttpOnly cookies can in fact be remarkably effective. Here’s what we know:
- HttpOnly restricts all access to
document.cookiein IE7, Firefox 3, and Opera 9.5 (unsure about Safari)
- HttpOnly removes cookie information from the response headers in
XMLHttpObject.getAllResponseHeaders()in IE7. It should do the same thing in Firefox, but it doesn’t, because there’s a bug.
XMLHttpObjectsmay only be submitted to the domain they originated from, so there is no cross-domain posting of the cookies.
The big security hole, as alluded to above, is that Firefox (and presumably Opera) allow access to the headers through
document.cookie, but hardly a feat of software engineering.
Even with those caveats, I believe HttpOnly cookies are a huge security win. If I — er, I mean, if my friend — had implemented HttpOnly cookies, it would have totally protected his users from the above exploit!
Of course this doesn’t completely protect your app from cross-site attacks and it does nothing to protect against good old fashion packet sniffing, but it is still a good suggestion.