httpOnly true by default (if not set explicitely)

Question

httpOnly true by default (if not set explicitely)

Closed this issue 9 years ago · 3 comments

Suggestion; set it to false by default, or at the very least state clearly in the docs that it is so. It seems counter intuitive that a session cookie can not be accessed by javascript by default. Isn't javascript exactly the place where one would want access to such items? IMHO.

Answer 1 · 2015-08-06T22:21:53.000Z

Usually, a session cookie would never be accessed in the browser JavaScript, as that allows possible tampering, and the session only matters on the server.

Answer 2 · 2015-08-07T06:01:11.000Z

This used to be the case for sure. I believe it is less and less so for modern/SPA type apps, where apps running in the browser both need to know IF the user is logged in, and also support a type of "cookielogin" (without password) to refresh the session if so. Assuming the cookie is secure/tamper-resistant, having it available in javascript shouldn't hurt, right (unless the crypto used is very weak). But I see your point as well; for stateless web apps access to the cookie should matter less.

Answer 3 · 2015-08-07T07:14:09.000Z

After I figured out this library does not clear the session cookie when calling reset(), I figured I needed to track the logged in state separately anyway, so I used a regular cookie instead. Which means there is no longer any need to attempt to read the cookie client side. Thanks.