Jan Cinert

False positive | Cookie Does Not Contain The "HTTPOnly" Attribute

Discussion created by Jan Cinert on Nov 5, 2013

#1 Response


__utmb=250288278.1.10.1383242505; expires=Thu Oct 31 11:31:45 2013; path=/; domain=.agriclub.cz; secure



That cookie is created by ga.js script. That cookie is not created by Set-Cookie HTTP header.

Thus in principle it is impossible to have a HTTPOnly flag.

The HTTPOnly flag cannot be later fixed by javascript. Javascript does not have access to that flag.

Moreover even if javascript could turn the flag on then that will lead to javascript inability to work with that cookie. That cookie is needed to be accessible to javascript. Otherwise a website will encounter a malfunction.