Hello
A web site was developed and deployed to client. In some cases, I need to set the flag HttpCookie.HttpOnly = true. Okay - I have done it. Next question:
Is Cookie available after setting flag in JavaScript?
or maybe some restriction when I am using JavaScript?
or do I need to make some changes in existing JavaScript?
The purpose of using HttpOnly is to prevent Javascript from accessing the cookie, primarily to prevent XSS attacks. There are decent write-ups on CodingHorror and MSDN about it.
Bottom line: if you need access to the cookie with Javascript you can not use HttpOnly.
Related
I have read the OWASP information and also a range of articles including Jeff Atwood's Protecting Your Cookies article and I still feel I need to understand HttpOnly cookies better.
This came about because I needed to add some Google Adword tracking code to a site. This javascript needed to set and read a cookie on the website's domain and I assumed that this was an issue. The website is a .Net application with httpOnlyCookies="true" in the web.config, so I assumed that the best approach would be to replace the javascript and write the cookie from the backend to ensure that the generated cookie was HttpOnly. I could then easily read the cookie in the server-side too.
I understand that setting the HttpOnly of a cookie property largely prevents a cookie from being read and manipulated by the client. But what I don't understand is:
Given the example above, would there have been a problem with me using the javascript implementation?
Would it still have been ok to write the cookie using javascript (but still read it using the server-side)? I'm thinking not as the cookie is then not a HttpOnly cookie
If I have done the right thing (moving everything to a server-side implementation), why are Google Analytic cookies always implemented as non-HttpOnly cookies? Surely they pose a security issue too?
So as the title says, I guess what I'm asking is - when (if ever) is it appropriate to have non-HttpOnly cookies on your domain?
So this is much more straightforward than I assumed. According to the comments left by #mah above, flagging a cookie as HttpOnly is redundant when the cookie contains non-sensitive information.
The httpOnly option was response to JavaScript tricks to steal user's session cookie. It was because the session cookie is a temporary credential that allows you access to user's logged-in session on the server.
In case of any other, non-session cookies it really depends on your own risk assessment. If you're not really concerned about slightly increased exposure without httpOnly or you just have a business need to access their values from JavaScript, just ignore this option.
Some security scanners or incompetent pentesting teams will report missing httpOnly flags for each cookie just because it's trivial to spot and allows them to easily inflate their report. But explaining the actual purpose and origin of httpOnly should be sufficient to counter that.
I am trying to find a solution to detect if clients brower has javascript enabled or not.
Is there a way to check whether JavaScript is enabled in the client browser, in django if possible or in python?
Unfortunately, you can't do this unless trying a second request. There's no way to know this before actually interacting with the browser itself.
The closest I can think of is trying to set a cookie and store this information for future visits.
Hope it helps.
The right approach is to degrade gracefully, but that is not always possible especially with web app. Use a <noscript> tag to tell the user to re-enable javascript.
If you need a solution through django, set a cookie using JS and try to read it in the second request. If you dont see the cookie then JS is not enabled. However, as a first request it can't be detected.
On my previous websites, I used to use a cookie to display a pre-home page only on the first visit. That worked great (see for example here), but using cookies is not so trendy today, so I want to avoid it as much as possible.
Now, my new website projects almost always have pre-home launched via javascript (showing a modalbox), so I don't need to do any action on the server side. I'm considering to use HTML5 localStorage instead of cookies, with a fallback on cookies if the browser does not have localStorage. Is this a good idea? What is the impact in terms of usability, privacy protection and website performance?
Using localStorage will improve usability for users that have disabled cookies. But I know that some HTML5 features are only opt-in (like geolocalisation) in some browser. Is there any restriction like that for localStorage on any browser ? Is there any case where I will get a JS error if localStorage is available but deactivated for my site ?
Usability
The user will not know if you are using localStorage or a cookie. If a user disable cookies, localStorage will not work either.
Performance
There is no noticeable speed difference between the two methods.
sessionStorage
sessionStorage is only for that browser tab's session. If you close the tab, the session will be lost and the data will be lost too, it's similar to a session variable on any backend language.
localStorage
localStorage will be available for any tab or window in the browser, and will exist until it is deleted by the user or the program. Unlike a cookie, you cannot setup expiration. localStorage has a much larger storage limit as well.
Your Questions
You are not using this data server side, so you don't need a cookie. localStorage is never sent to the server unlike a cookie.
If the user disables the cookies, localStorage will not work either.
Fallback Example
You can use a Modernizr to verify if localStorage is available and if not, use store a cookie instead.
if (Modernizr.localstorage) {
// supports HTML5 Storage :D
} else {
// does not support HTML5 Storage :(
}
You can also forego Modernizr and use the check typeof Storage !== 'undefined'.
Comparing LS vs cookies is comparing apples to oranges.
Cookies and LS are completely different things for different purposes. LS is a tool that allows your client (javascript code) to store its data locally, without transmitting it to the server. Cookies is a tool for the client-server communication. The whole point of cookies is to be sent over with each request.
In the past cookies were often abused to emulate the local storage, just because it was the only possibility for a javascript application to write anything to the client's hard drive. But generally LS is not a replacement for cookies, so if you need something that both client and server should read and write, use cookies, not LS.
One point to add, unlike cookie normally shared cross protocol, the storages stick to same-origin policy. As a consequence sites share the same domain but hosted on different protocol do not share the stored data.
Say if your website need to work across http and https. For example, when user clicked the "purchase link" they will land on https secured checkout, then the checkout won't be able to retrieve the data previously stored on http site, even when they share the same domain.
It doesn't look easy for the server to read the localStorage. That may come in handy though, knowing your data is all client-side, making it safe from sniffing.
Cookies can't be written over, only added to and read:
alert(document.cookie);
document.cookie = "nope";
alert(document.cookie);
The one thing I didn't like about using 'localstorage' is that all your script code is visible when you 'inspect' (F12) the page. Go into SOURCES and from the left panel locate your website name and open it. All your code within the tags is totally visible. So if you've got some sensitive values on display, liked hashed passwords, special words, they all there for the world to see. I'm not sure what the world will do with this info, but it's not very secure.
Is it possible that you disable setting cookies in javascript while stil being able to read them?
In my website i set cookies only in php, but it would be usefull that i can read them from Javascript.
I know there is a httpOnly flag while creating cookie but that restrict read and write access from Javascript.
The reason why i want to restrict write access is of course security as user can easily set cookie even from browser and i want to prevent that.
What you can do is create two cookies:
MY_COOKIE_HTTP_ONLY
MY_COOKIE
With the same values in the backend. One which is http only and the other which isn't. The MY_COOKIE_HTTP_ONLY cookie will be used in the backend and MY_COOKIE will be used in the browser. If attacker changes the value of MY_COOKIE in the browser side, well that basically is ok since if attacker has access to your browser, they can do all sorts of things but only in the browser side.
And on the other hand, you will be able to identify this situation by comparing the values.
Shortest answer: No. It's not possible.
you can prevetn the browser from setting javascript cookies by overriding the setter of document.cookie
document.__defineGetter__("cookie", document.__lookupGetter__("cookie") );
document.__defineSetter__("cookie", function() {} );
As others have stated, you can't stop users from editing files on their own computers, which is effectively what you would need to do to stop them from editing a cookie.
That doesn't mean you're out of options though. You could include an authentication code (like HMAC) in the cookie. The user will still be able to read and change that cookie, but at least you will be able to detect when they do and ignore the provided data.
for websockets I have to expose my sessionid from the cookie.
I have searched a bit and found that I should be able to access cookies by:
console.log(document.cookie);
unfortunatly this doesn't work or better document.cookie contains an empty string even chrome itself shows me the cookie also authentication works.
Can it be that chrome hides the cookie for javascript?
That can happen if the server is configured to send the session cookie with the HttpOnly flag. This way the cookie becomes invisible/inaccessible to client side scripting languages like JS.
To achieve your concrete functional requirement, either reconfigure the server to not do so, or look for alternate means, e.g. setting a custom cookie (without the HttpOnly flag, of course), or letting the server side view technology dynamically print the current session ID as a JS variable or as an attribute of some HTML element so that JS can access it by traversing the HTML DOM.