What should be the correct behavior of the browser when sending and receiving httponly cookies via ajax?

Question

What should be the correct behavior of the browser when sending and receiving httponly cookies via ajax?

I currently have a problem with Firefox, where it receives a cookie with the httponly flag. However, when the subsequent response is sent to the server, the request does not contain any httponly flag (which may be the correct behavior), however, when the response is returned, it returns a cookie, however it does not have an httponly flag attached, as I assume it returns it in that same condition as him.

So is this the right behavior? Should I manually update the state of the httponly cookie on the server for each request? or should an httponly state exist between calls? I'm sure there might be some other behavior in the browser, but just assume modern major browsers.

+1

browser ajax cookies httponly

Grofit Feb 27 '13 at 21:00

source share

1 answer

Grofit · Accepted Answer · 2013-02-27T21:18:11+0000

A few moments after sending, I found:

Understanding the intended behavior of the HTTPOnly flag

which indicates that this is the correct behavior, and the server should constantly add the httponly flag. It seems a little strange, but hey, as long as I know what the alleged behavior is.

What should be the correct behavior of the browser when sending and receiving httponly cookies via ajax?

More articles: