I am attempting to view cookie HttpOnly state with Fiddler4. I know HttpOnly is enabled for certain cookies because I am viewing it with a different browser-dependent tool. With Fiddler4 I do not see the HttpOnly state for these cookies, even in the raw data. What options are available with Fiddler4 for viewing the cookie HttpOnly state?
3 Answers, 1 is accepted
0
Hello, James--
HTTPOnly is an attribute that is provided by the server when it is setting a cookie to indicate that the cookie should not be visible to JavaScript (as a security measure); the cookie is only to be sent to the server via the Cookie request header.
The HTTPOnly attribute is only visible in the Set-Cookie response header when a cookie is set; the client will not send that attribute back to the server when it resends the cookie to the server on subsequent requests.
Browser tools that show a cookie's httponly state do so by directly examining the cookie metadata within the browser's cookie database.
Regards,
Eric Lawrence
Telerik
HTTPOnly is an attribute that is provided by the server when it is setting a cookie to indicate that the cookie should not be visible to JavaScript (as a security measure); the cookie is only to be sent to the server via the Cookie request header.
The HTTPOnly attribute is only visible in the Set-Cookie response header when a cookie is set; the client will not send that attribute back to the server when it resends the cookie to the server on subsequent requests.
Browser tools that show a cookie's httponly state do so by directly examining the cookie metadata within the browser's cookie database.
Regards,
Eric Lawrence
Telerik
See What's Next in App Development. Register for TelerikNEXT.
0
James
Top achievements
Rank 1
Rank 1
answered on 23 Apr 2015, 07:37 PM
Thank you, Eric. Everything in your post is understood. Nevertheless, I do appreciate the clarifying information. I admit that I have little experience with Fiddler, as yet. So, perhaps I am missing something otherwise obvious. Still, I have not found any way to present the HttpOnly state for cookies that I know have that option set. I am able to confirm this with another debugging tool. I would prefer to use Fiddler because it is useful with any of the web browsers that I use. The other debug tool is not as versatile. So, if Fiddler is capable of presenting the HttpOnly state for these cookies, as various blogs and other information sources have indicated, what should I do in my use of Fiddler or its optional settings to view it?
0
Hello, James:
I think you're asking: "Where can I see the httponly attribute on the Set-Cookie header?"
You can see Set-Cookie headers (and thus, this attribute) in the Headers response inspector, or in the Cookies response inspector.
You might find the Flag responses that set cookies checkbox at the bottom of the Filters tab useful.
Regards,
Eric Lawrence
Telerik
I think you're asking: "Where can I see the httponly attribute on the Set-Cookie header?"
You can see Set-Cookie headers (and thus, this attribute) in the Headers response inspector, or in the Cookies response inspector.
You might find the Flag responses that set cookies checkbox at the bottom of the Filters tab useful.
Regards,
Eric Lawrence
Telerik
See What's Next in App Development. Register for TelerikNEXT.