Today when I am trying to understand how cookies work in libcurl (). I found some cookies from Google has a strange flag behind it: HttpOnly.
I know this is a common sense to every web developer. As an embedded system engineer that never dealt with any web programming in last 9 years, I think I am eligible to not knowing it...
Anyway, it is shown by an example source code of libcurl as:
[1]: .google.com.tw TRUE / FALSE 1352547231 PREF ID=id_removed:FF=0:TM=1289474431:LM=1289475431:S=oLGFV.....
[2]: #HttpOnly_.google.com.tw TRUE / FALSE 1305286631 NID 40=T9tf9Y.....
This #HttpOnly_ confused me. After some research, I found that because malicious Javascript code may be able to access other website's cookies and transfer them to its site. This is a cookie theft as described in Wikipedia (http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft).
This flag blocks cookies flagged as HttpOnly being accessed by any scripts from originating website and hence prevents injected malicious code from sending important cookies to another site.
No comments:
Post a Comment