What are Secure httponly Cookies?

A httpOnly cookie, also known as a secure cookie, is a file that is stored on a user’s hard drive. It is used for transmitting http or https over the internet where https is a secure protocol and provides a secure transmission of data over your internet connection. It is a Microsoft extension as a mechanism which Microsoft developed for IE6 SP1 to add some security. The idea is that cookies marked as httpOnly cannot be accessed from JavaScript. The benefit of secure httponly cookies are they stop stealing through XSS vulnerabilities. Original versions of Mozilla Firefox did not support these but from Firefox v. onwards it does.

Differences between Regular &httpOnly Cookies.

If a browser does not support HttpOnly and a website attempts to set a HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the typically session cookie becomes vulnerable to theft of modification by malicious script.

How do they work exactly?

A Http Cookie works by providing the server a mechanism to store and retrieve state information on the client application's system. This mechanism allows Web-based applications the ability to store information about selected items, user preferences, registration information, and other information that can be retrieved later. They work by two related headers set-cookie and cookie. The set-cookie header is set in response to the http request, which is used to create a cookie on the users system. The header is included by the client application with an HTTP request sent to a server, if there is a cookie that has a matching domain and path.

What is an HttpOnly cookie?

This contains a special ‘HttpOnly’ flag included in the http cookie header that ensures cookies will only be used when transmitting HTTP (or HTTPS) requests.

Combined the Secure setting and and HttpOnly flag help to introduce a more robust cookie that is less prone to attacks. Combined they allow the browser to restrict access to cookie data from scripts within the web browser. This limits the potential damage many cross site script attacks can cause– specifically, the attacks that target cookie data.

The Cookie List


Sometimes known as a transient cookie, stored in temporary memory and remains available for the duration of your active “session” within the browser.

session cookie...


Also known as a stored cookie, it stores a file on your hard drive. The cookie would remain on the hard drive until it reaches its expiration date.

persistent cookie...

Secure & HttpOnly

A secure cookie is just like a regular cookie, except it contains a special ‘HttpOnly’ flag that instructs the browser to restrict access to cookie data.

secure httponly cookie...


Visit a web site, but have a cookie created by a completely different domain. This allows the third-party domain to track you i.e. Tracking Cookies

Third-Party Cookie...


Dangerous: Uses various techniques to resists deletion even when you clear your entire history they can remain hidden and reappear like a virus!

Super Cookie...


Dangerous: This is a cookie that can come back to life, hence the name Zombie. After it has been deleted it recreates itself.

Zombie Cookie...


This is an example of a VERY persistent cookie. A cross between Super and Zombie types of cookie.

Ever Cookie...