[nycbug-talk] RFC2109 v1 "HTTP Only" cookies?

Isaac (.ike) Levy ike at blackskyresearch.net
Fri Aug 16 07:56:12 EDT 2013


On August 15, 2013 05:41:51 PM EDT, Bob Ippolito <bob at redivi.com> wrote:

> The most recently updated support matrix for this feature I was able to
> find is here: http://www.browserscope.org/?category=security
> On Thu, Aug 15, 2013 at 1:56 PM, Isaac (.ike) Levy <ike at blackskyresearch.net
>> wrote:
>> Hi All,
>> On a lark, does anyone know about the state of browser compatibility for
>> v1 "HTTP Only" cookies, (RFC2109)?
>> The spec is pretty old (in internet time), it's big deal in preventing XSS
>> attacks and session hijacking, yet I simply can't find any clear stats
>> online regarding browser compatibility.
>> --
>> For anyone curiously thinking, "what is he asking that for?", I'm trying
>> to resolve a problem in an HTTP sticky load balancing scenario, where the
>> load balancer injects a cookie to maintain 'sticky' state.  Not my idea of
>> rational web application interaction with browsers, but I digress…
>> The timestamp in pre v1 cookies is somehow only being set in client time,
>> causing browsers in various time zones to flap around (also browsers with
>> clocks out of sync).  Conversely, I'm able to make the cookie session
>> adhere to the time at the load balancers, (which we obviously have control
>> of), but to do so, the cookie is v1 HTTP Only.
>> And with that, I can't figure out if this is so common that my question is
>> moot, or, so uncommon/obtuse that most browsers will break once I 'flip the
>> switch'.
>> Whew.  Any urls, notes, anecdotes even- would be much appreciated.
>> Best,
>> .ike

Bob- that's great- exactly the kind of thing I was looking for, thanks.

Also, thanks to everyone else who emailed me off-list with some great 
answers, all revolving around using an epoch string in the 
sticky-session cookie.

However, I neglected to mention that this is on a netscaler, so all I 
have to work with is a cli/gui 'knob' of sorts- their implementation 
relies on cookie date-stamp, and their implementation is forcing me 
down this path.  I truly wish it were pound or haproxy or nginx, where 
implementing reliable sticky http sessions would be rather trivial.


More information about the talk mailing list