Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

No cookie for you!

In preparation for my upcoming presentation on web security and abusing browsers, I was going over the long list of protection measures that either aren't in place, or don't work against the potential threats, when I stumbled across one bright spot in an otherwise bleak landscape.
HttpOnly cookies were designed by the Internet Explorer developers back in 2002 and implemented in IE 6sp1, unfortunately, uptake among other browsers was extremely slow, and it's been under-utilized in web applications. Well, the Firefox developers finally got around to implementing HttpOnly in Firefox, and Safari currently supports it based on my testing with 2.0.4 (anybody know when it first became supported -- it wasn't earlier last year). Unfortunately, Opera 9.10 still looks like it doesn't support HttpOnly cookies, and the fix in FF won't be public in a stable release until Firefox 3.0, so unless you're comfortable downloading and running the 3.0 alphas (called "Minefield, no less), we still have a ways to go before support becomes more ubiquitous.

Fortunately, there's no real downside to implementing the HttpOnly cookies on your applications even without complete browser coverage. The option was never meant as an ultimate fix, merely another useful protection mechanism. If you're doing any web development at all, definitely start checking out if your languages support easy use of the option (though often times even without language support, there are easy ways to manually enable it).