maxcountryman
commented
11 years ago Why?
Closed ThomasWaldmann closed 11 years ago
maxcountryman
commented
11 years ago Why?
ThomasWaldmann
commented
11 years ago IF you do not need to read the cookie by JS, a httponly cookie will reduce the attack surface as the browser will not allow reading the cookie by js then, but only transmit it to the server by http(s).
Of course, IF you need to read the cookie by JS, you can't do that (but maybe should document that usecase then, so future reviewers aren't wondering about that).
maxcountryman
commented
11 years ago The cookie needs to be consumable by JS, i.e. AJAX. That's why the vary header is used. This case is in fact documented.
ghost
commented
10 years ago Not true. Cookies still work with AJAX as XmlHttpRequest support (or even iframe remoting, on older browsers) is all that is technically required. Not 100% safe but still.. you must weigh your options (pros & cons) when building your application. Please refer to this Stack Overflow answer http://stackoverflow.com/a/29092/4039934
after dealing with issue #20 (and IF you still have the code for the separate cookie then), consider using a httponly=True cookie (or add a comment about why it should be False to that place in the source).