[nycbug-talk] RFC2109 v1 "HTTP Only" cookies?
Isaac (.ike) Levy
ike at blackskyresearch.net
Thu Aug 15 16:56:00 EDT 2013
On a lark, does anyone know about the state of browser compatibility
for v1 "HTTP Only" cookies, (RFC2109)?
The spec is pretty old (in internet time), it's big deal in preventing
XSS attacks and session hijacking, yet I simply can't find any clear
stats online regarding browser compatibility.
For anyone curiously thinking, "what is he asking that for?", I'm
trying to resolve a problem in an HTTP sticky load balancing scenario,
where the load balancer injects a cookie to maintain 'sticky' state.
Not my idea of rational web application interaction with browsers, but
The timestamp in pre v1 cookies is somehow only being set in client
time, causing browsers in various time zones to flap around (also
browsers with clocks out of sync). Conversely, I'm able to make the
cookie session adhere to the time at the load balancers, (which we
obviously have control of), but to do so, the cookie is v1 HTTP Only.
And with that, I can't figure out if this is so common that my question
is moot, or, so uncommon/obtuse that most browsers will break once I
'flip the switch'.
Whew. Any urls, notes, anecdotes even- would be much appreciated.
More information about the talk