Jim asked a great question – what is the current state of the nation for HttpOnly? I’m glad he asked!

Pass – read/write cookie protection

• IE 7.0
• Firefox >= 2.0.0.5
• Firefox 3.0 beta
• Camino 1.5.4

Barely Pass – read only cookie protection

• IE 6.0
• Opera 9.50 beta

Fail – no cookie protection

• Safari 3.1
• Firefox < 2.0.0.5
• Opera 9.2.6 (currently shipping stable version)

Coverage of HttpOnly Support

According to my Google Analytics account, 93.6% of browsers support HttpOnly for preventing being read. The worst offender is Apple, with a marketshare of 5.3% on my heavily trafficked site. They have no support whatsoever. In fact, they’ve had a bug outstanding for some time that no one is assigned. BAD APPLE!

Conclusion

Most sites do not use cookies for anything other than the session ID. This is best practice. In these instances, there is NO REASON for them to read or write the cookie using JavaScript. Although there are ways around HttpOnly (some work better than others, depending on your browser), it is worthwhile for frameworks and app server vendors to send this tag automatically. Those very few folks who really need to be pwned should have the ability to turn this protection off.