httpOnly cookies in Firefox and Flock browsers!

Hi malware fighters,

Don’t make it easy for the phisher, or cross-site scripting malcreant, install this add-on for Firefox or Flock:
https://addons.mozilla.org/en-US/firefox/addon/3629
This is enhancing your security by heaps.
http://blog.mattmecham.com/archives/2006/09/http_only_cookies_in_firefox.html
HttpOnly cookies are a mechanism Microsoft developed for IE6 SP1 to add some security to cookies. The web developer would set a cookie (for instance the session cookie) to be HttpOnly (both ASP and PHP support setting HttpOnly cookies) and the browser would only ever use that cookie when sending HTTP requests, not when client side scripting asks to read the cookie. This means if there was a cross site scripting flaw on the website the JS wouldn’t be able to use the cookies. The solution isn’t perfect, but it does what it’s meant to do and doesn’t harm anyone.

Support for this is already in the Firefox 3 alphas, if you are inclined to use them, otherwise you’ll have to wait until November or so for the first official ff3 release.

Read about the extension here:
http://spellbook.infinitiv.it/2006/10/24/httponly-cookies-in-firefox-20.htm

polonus

IE6 SP1
A little old isn't it ??? :)

It might be old but I assume the HttpOnlyCookie function will have been carried forward from that point as it is a security enhancement not vulnerability so the age isn’t relevent and it is talking about firefox also going down this path initiated in IE6 SP1.

Hi DavidR,

I think it is vital for those on FF or Flock to install this add-on, while IE had this protection for some time now, while the regular FF or Flock browser users were without and will have to wait until FF 3.0 for it to be implemented. That is being unprotected as to November or thereabout.
The only sad thing is the security aware have to find out these things for themselves, that is why I reported about it here, so all our webforum members that use Mozilla type browsers could have this enhancement of protection. Where security measurements of IE are good, they should be incorporated in FF or Flock as well. That is my humble opinion.

polonus