http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html
How using HttpOnly flag in the header instructs browser that only the server (and not malicious javascript) can access this cookie.
The risk is that an XSS post when loaded can forward an authentication cookie to a remote site where it can be used to steal your identity by a malicous user who is able to load the site that issued the cookie under your identity.
No comments:
Post a Comment