Chrome developer tools > resources > cookies > http column, does a checkmark here indicate HttpOnly cookie?

google-chrome cookies google-chrome-devtools httponly
57,562

Solution 1

Yes. Enter document.cookie in the console, and you'll see that none of the checked cookies are visible.

Name Value Domain Path Expires Size HTTP Secure

HTTP = HttpOnly flag, Secure = secure flag.

Solution 2

Yes. Right click on your page or press F12 button. This will open developers tools window. Go to application tab. It'll show as follow :-

enter image description here

Now, typing document.cookie on the tab, you'll see only csrf token being shown.enter image description here

To specify session cookies to be httpCookie by default, set 'useHttpOnly' attribute in context.xml in tomcat, for java web application. For more information, refer to http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes

Solution 3

So 2 things .

1) HTTP only cookie this name is a bit misleading as we can send HTTPOnly cookie over HTTPS and it works perfectly fine. Main characteristics of HTTP Only cookie is it can't be accessed using JavaScript . In-fact You can't even manually edit this in Chrome's Application tab.

2) So how you can edit HTTP Only cookie ? In chrome You can use extension to edit cookie while development . In production mode there is no way you can adultrate this without man in the middle attack on HTTP connection.

Solution 4

Today (May 2016), googling around for the same reason, I found this question and this page from developers.google.com explaining:

HTTP: If present, indicates that cookies should be used only over HTTP, and JavaScript modification is not allowed.

Share:
57,562
Admin
Author by

Admin

Updated on July 05, 2022

Comments

  • Admin
    Admin almost 2 years

    Does the checkmark at the Http column of Chrome devtool's Cookie resource panel indicate a HttpOnly cookie?

    I can't find docs that confirm this, though I suspect it is the case. I am trying to verify my app is using HttpOnly for session cookies.

  • vivex
    vivex over 8 years
    i have one cookie variable as HTTP checked, i am not able to get that variable from document.cookie , all non HTTP checked variables are coming but not HTTP checked, Why so
  • Rob W
    Rob W over 8 years
    @Vivek httpOnly cookies are only visible to the server, not to JavaScript code.
  • Omortis
    Omortis almost 6 years
    #1 above is incorrect. In Chrome's dev tools I seem to be able to edit cookies with HTTP checked with no problem? They do not appear in document.cookies.
  • knownasilya
    knownasilya over 5 years
    The cookie resets though after you refresh the page.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to tell why a cookie is not being sent?
How to use Postman Interceptor
How to read the Clipboard text in google chrome extension
Why are all my jQuery cookies turning up undefined?
Sharing Cookie between different ports
Using Chrome's cookies in Python-Requests
How to make chrome devtools to recognise moment.js
How can I delete google chrome cookies with selenium?
Editing Javascript in Chrome real time, like Edit and Continue in Visual Studio
What is "User stylesheet" in Google Chrome's developer tools?