Cookie HttpOnly State with Fiddler4?

4 posts, 0 answers
  1. James
    James avatar
    2 posts
    Member since:
    Apr 2015

    Posted 22 Apr 2015 Link to this post

    I am attempting to view cookie HttpOnly state with Fiddler4. I know HttpOnly is enabled for certain cookies because I am viewing it with a different browser-dependent tool. With Fiddler4 I do not see the HttpOnly state for these cookies, even in the raw data. What options are available with Fiddler4 for viewing the cookie HttpOnly state?
  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 23 Apr 2015 Link to this post

    Hello, James--

    HTTPOnly is an attribute that is provided by the server when it is setting a cookie to indicate that the cookie should not be visible to JavaScript (as a security measure); the cookie is only to be sent to the server via the Cookie request header.

    The HTTPOnly attribute is only visible in the Set-Cookie response header when a cookie is set; the client will not send that attribute back to the server when it resends the cookie to the server on subsequent requests.

    Browser tools that show a cookie's httponly state do so by directly examining the cookie metadata within the browser's cookie database.

    Regards,
    Eric Lawrence
    Telerik
     

    See What's Next in App Development. Register for TelerikNEXT.

     
  3. James
    James avatar
    2 posts
    Member since:
    Apr 2015

    Posted 23 Apr 2015 in reply to Eric Lawrence Link to this post

    Thank you, Eric. Everything in your post is understood. Nevertheless, I do appreciate the clarifying information. I admit that I have little experience with Fiddler, as yet. So, perhaps I am missing something otherwise obvious. Still, I have not found any way to present the HttpOnly state for cookies that I know have that option set. I am able to confirm this with another debugging tool. I would prefer to use Fiddler because it is useful with any of the web browsers that I use. The other debug tool is not as versatile. So, if Fiddler is capable of presenting the HttpOnly state for these cookies, as various blogs and other information sources have indicated, what should I do in my use of Fiddler or its optional settings to view it?
  4. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 24 Apr 2015 Link to this post

    Hello, James:

    I think you're asking: "Where can I see the httponly attribute on the Set-Cookie header?" 

    You can see Set-Cookie headers (and thus, this attribute) in the Headers response inspector, or in the Cookies response inspector.

    You might find the Flag responses that set cookies checkbox at the bottom of the Filters tab useful.

    Regards,
    Eric Lawrence
    Telerik
     

    See What's Next in App Development. Register for TelerikNEXT.

     
Back to Top