Using HTTP Cookies

Référence externe : https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies

secure cookie

cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol

— https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies

don’t assume that Secure prevents all access to sensitive information in cookies. For example, someone with access to the client’s hard disk (or JavaScript if the HttpOnly attribute isn’t set) can read and modify the information

— https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies

httponly cookie

cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it’s only sent to the server. For example, cookies that persist in server-side sessions don’t need to be available to JavaScript and should have the HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks.

— https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies

Konubinix' opinionated web of thoughts

Using HTTP Cookies

secure cookie

httponly cookie

Permalink