[nycbug-talk] RFC2109 v1 "HTTP Only" cookies?

Isaac (.ike) Levy ike at blackskyresearch.net
Thu Aug 15 16:56:00 EDT 2013

Hi All,

On a lark, does anyone know about the state of browser compatibility 
for v1 "HTTP Only" cookies, (RFC2109)?

The spec is pretty old (in internet time), it's big deal in preventing 
XSS attacks and session hijacking, yet I simply can't find any clear 
stats online regarding browser compatibility.

For anyone curiously thinking, "what is he asking that for?", I'm 
trying to resolve a problem in an HTTP sticky load balancing scenario, 
where the load balancer injects a cookie to maintain 'sticky' state.  
Not my idea of rational web application interaction with browsers, but 
I digress…

The timestamp in pre v1 cookies is somehow only being set in client 
time, causing browsers in various time zones to flap around (also 
browsers with clocks out of sync).  Conversely, I'm able to make the 
cookie session adhere to the time at the load balancers, (which we 
obviously have control of), but to do so, the cookie is v1 HTTP Only.

And with that, I can't figure out if this is so common that my question 
is moot, or, so uncommon/obtuse that most browsers will break once I 
'flip the switch'.

Whew.  Any urls, notes, anecdotes even- would be much appreciated.


More information about the talk mailing list