[nycbug-talk] RFC2109 v1 "HTTP Only" cookies?

Bob Ippolito bob at redivi.com
Thu Aug 15 17:41:51 EDT 2013


The most recently updated support matrix for this feature I was able to
find is here: http://www.browserscope.org/?category=security


On Thu, Aug 15, 2013 at 1:56 PM, Isaac (.ike) Levy <ike at blackskyresearch.net
> wrote:

>
> Hi All,
>
> On a lark, does anyone know about the state of browser compatibility for
> v1 "HTTP Only" cookies, (RFC2109)?
>
> The spec is pretty old (in internet time), it's big deal in preventing XSS
> attacks and session hijacking, yet I simply can't find any clear stats
> online regarding browser compatibility.
>
> --
> For anyone curiously thinking, "what is he asking that for?", I'm trying
> to resolve a problem in an HTTP sticky load balancing scenario, where the
> load balancer injects a cookie to maintain 'sticky' state.  Not my idea of
> rational web application interaction with browsers, but I digress…
>
> The timestamp in pre v1 cookies is somehow only being set in client time,
> causing browsers in various time zones to flap around (also browsers with
> clocks out of sync).  Conversely, I'm able to make the cookie session
> adhere to the time at the load balancers, (which we obviously have control
> of), but to do so, the cookie is v1 HTTP Only.
>
> And with that, I can't figure out if this is so common that my question is
> moot, or, so uncommon/obtuse that most browsers will break once I 'flip the
> switch'.
>
> Whew.  Any urls, notes, anecdotes even- would be much appreciated.
>
> Best,
> .ike
>
>
> ______________________________**_________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/**mailman/listinfo/talk<http://lists.nycbug.org/mailman/listinfo/talk>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20130815/196b7c92/attachment.htm>


More information about the talk mailing list