Prevent cookies from being viewed / obtained with javascript

8

I was reading #

The phrase in question is:

  

Create secure cookies that only work via HTTPS and are not accessed by JavaScript;

My question comes up in this part, what are cookies that "are not accessed by javascript"?

From my experience I have never had any problem with client-side operations involving cookies because of this or similar reason.

Obviously speaking in the context http + browser (http + browser).

Since these cookies are in our browser what prevents us from obtaining them? Is there a cookie / session that is not contemplated in document.cookie ? Or even just seeing the request headers (they always have to be present right here?)?

I also hypothesize that the author was wrong and does not want to say it well.

    
asked by anonymous 11.04.2017 / 18:21

3 answers

4
  

[...] what are cookies that "are not accessed by javascript"?

Cookies are created with HttpOnly , which should be paired with the Secure . For example:

COOKIEKEY=COOKIEVAL;HttpOnly;Secure

The% cookie% indicates that the cookie can only be traversed over secure connections (https).

The Secure tag causes the cookie content not to be made available to the JavaScript engine, but is only passed in the HTTP request header.

Some older browsers did not respect or incorrectly implement the HttpOnly marker interpretation. All current versions of most used browsers are implementation compliant. The following table ( source ) indicates compatibility and functionality for versions prior to 2011:

    
12.04.2017 / 00:19
3

With the help of a colleague from here who has told me a path to start, know and even liked to know that yes, it is possible to obfuscate and prevent a cookie from being read / obtained by applets or scripting languages , such as javascript.

Warning: will never be invariable in the request / response headers , it is just a command for the browser to not easily make the information available.

That said here is an example with this kind of cookie in php:

<?php
$_SESSION['sess'] = '123';
setcookie('visible', 'Eu sou visto', time()+500, '', '', false, false);
setcookie('invisible', 'Eu nao sou visto', time()+500, '', '', false, true);
?>
<script>
alert(document.cookie);
</script>

Just this to test,

Attention to the last argument, called httponly , this default is false , but in this last cookie we put it as true and it is precisely this cookie that we will not be able to "see" with javascript.

If you wish to apply cookies in session :

ini_set('session.cookie_httponly', 1);

With asp.net the way to write a cookie of this type (colleagues proficient in this technology feel free to edit, I may be doing some nonsense):

private static HttpCookie CreateSessionCookie(string id)
{
    HttpCookie cookie = new HttpCookie(Config.CookieName, id);
    cookie.Path = "/";
    cookie.HttpOnly = true;   // <-- burned in
    return cookie;
}

Source of this last

Image of test done (first example of response, php) for those who do not want to test:

    
12.04.2017 / 00:45
0

Not only is it possible as it is strongly suggested. Of course, depending on how you will use it and what you want to store.

When you set a cookie with: httpOnly, it means that only the server has access to that information, ie it can not be retrieved through js. Does not that sound safe? Since your information is already available right there? If you plan to add information that people should not have access to, possibly it will be encrypted and the cookie is only acting as a local repository.

This technique is fairly simple and stops most XSS-based cookie problems, as well as stackoverflow, about one of the most famous problems related to this.

You can read more about it at: link

    
11.04.2017 / 19:02