This is a migrated thread and some comments may be shown as answers.

Cookie HttpOnly State with Fiddler4?

3 Answers 631 Views
Fiddler Classic
This is a migrated thread and some comments may be shown as answers.
James
Top achievements
Rank 1
James asked on 22 Apr 2015, 06:39 PM
I am attempting to view cookie HttpOnly state with Fiddler4. I know HttpOnly is enabled for certain cookies because I am viewing it with a different browser-dependent tool. With Fiddler4 I do not see the HttpOnly state for these cookies, even in the raw data. What options are available with Fiddler4 for viewing the cookie HttpOnly state?

3 Answers, 1 is accepted

Sort by
0
Eric Lawrence
Telerik team
answered on 23 Apr 2015, 06:11 PM
Hello, James--

HTTPOnly is an attribute that is provided by the server when it is setting a cookie to indicate that the cookie should not be visible to JavaScript (as a security measure); the cookie is only to be sent to the server via the Cookie request header.

The HTTPOnly attribute is only visible in the Set-Cookie response header when a cookie is set; the client will not send that attribute back to the server when it resends the cookie to the server on subsequent requests.

Browser tools that show a cookie's httponly state do so by directly examining the cookie metadata within the browser's cookie database.

Regards,
Eric Lawrence
Telerik
 

See What's Next in App Development. Register for TelerikNEXT.

 
0
James
Top achievements
Rank 1
answered on 23 Apr 2015, 07:37 PM
Thank you, Eric. Everything in your post is understood. Nevertheless, I do appreciate the clarifying information. I admit that I have little experience with Fiddler, as yet. So, perhaps I am missing something otherwise obvious. Still, I have not found any way to present the HttpOnly state for cookies that I know have that option set. I am able to confirm this with another debugging tool. I would prefer to use Fiddler because it is useful with any of the web browsers that I use. The other debug tool is not as versatile. So, if Fiddler is capable of presenting the HttpOnly state for these cookies, as various blogs and other information sources have indicated, what should I do in my use of Fiddler or its optional settings to view it?
0
Eric Lawrence
Telerik team
answered on 24 Apr 2015, 04:22 PM
Hello, James:

I think you're asking: "Where can I see the httponly attribute on the Set-Cookie header?" 

You can see Set-Cookie headers (and thus, this attribute) in the Headers response inspector, or in the Cookies response inspector.

You might find the Flag responses that set cookies checkbox at the bottom of the Filters tab useful.

Regards,
Eric Lawrence
Telerik
 

See What's Next in App Development. Register for TelerikNEXT.

 
Tags
Fiddler Classic
Asked by
James
Top achievements
Rank 1
Answers by
Eric Lawrence
Telerik team
James
Top achievements
Rank 1
Share this question
or