<div dir="ltr">The most recently updated support matrix for this feature I was able to find is here: <a href="http://www.browserscope.org/?category=security">http://www.browserscope.org/?category=security</a><br></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Thu, Aug 15, 2013 at 1:56 PM, Isaac (.ike) Levy <span dir="ltr"><<a href="mailto:ike@blackskyresearch.net" target="_blank">ike@blackskyresearch.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Hi All,<br>
<br>
On a lark, does anyone know about the state of browser compatibility for v1 "HTTP Only" cookies, (RFC2109)?<br>
<br>
The spec is pretty old (in internet time), it's big deal in preventing XSS attacks and session hijacking, yet I simply can't find any clear stats online regarding browser compatibility.<br>
<br>
--<br>
For anyone curiously thinking, "what is he asking that for?", I'm trying to resolve a problem in an HTTP sticky load balancing scenario, where the load balancer injects a cookie to maintain 'sticky' state. Not my idea of rational web application interaction with browsers, but I digress…<br>
<br>
The timestamp in pre v1 cookies is somehow only being set in client time, causing browsers in various time zones to flap around (also browsers with clocks out of sync). Conversely, I'm able to make the cookie session adhere to the time at the load balancers, (which we obviously have control of), but to do so, the cookie is v1 HTTP Only.<br>
<br>
And with that, I can't figure out if this is so common that my question is moot, or, so uncommon/obtuse that most browsers will break once I 'flip the switch'.<br>
<br>
Whew. Any urls, notes, anecdotes even- would be much appreciated.<br>
<br>
Best,<br>
.ike<br>
<br>
<br>
______________________________<u></u>_________________<br>
talk mailing list<br>
<a href="mailto:talk@lists.nycbug.org" target="_blank">talk@lists.nycbug.org</a><br>
<a href="http://lists.nycbug.org/mailman/listinfo/talk" target="_blank">http://lists.nycbug.org/<u></u>mailman/listinfo/talk</a><br>
</blockquote></div><br></div>