[owasp-intrinsic-security] HTTPOnly cookie flag

Bil Corry bil at corry.biz
Fri Nov 7 17:12:05 EST 2008

Bil Corry wrote on 11/3/2008 4:32 PM: 
> turns out Yngve Pettersen of Opera has been working on revising the
> RFC for cookies to fix cookie leaking issues with domains like
> "city.state.us":
> http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-03.txt 
> http://www.ietf.org/proceedings/07jul/slides/httpbis-1.pdf
> I'm thinking he's probably the one to ask about HTTPOnly; I just
> fired off an email to him too.  And it makes me wonder if we should
> be working with IETF to get HTTPOnly added to the RFC?

I've been conversing with Yngve about HTTPOnly and related, his current RFC draft that covers cookies:


His current draft is aimed at improving cookie security and proposes to not permit the "parent"-domain type of distribution for cookies; some background on this is here:


He also mentioned contemplating making the "secure" flag on by default for any cookie set over SSL/TLS.  This sounds like a good idea to me, but would obviously break some web applications.

And I thought it would be good to add the HTTPOnly flag to the spec or write a separate spec, as there currently doesn't appear to be one anywhere to be had (which undoubtedly is what is contributing to it's lack of standard implementation across the browsers).

So I believe there's an opportunity to here to improve cookie security and get it into an RFC so that browser vendors can uniformly implement a more secure cookie model.  I'm guessing any changes that will break existing sites will not be adopted or welcomed, so to that end, I think it may be prudent to consider implementing changes strictly to Cookie2, so that Cookie can be phased out and security-progressive sites can instead implement Cookie2 exclusively.

Any thoughts on any of this?

- Bil

More information about the owasp-intrinsic-security mailing list