Hi, I'm a security researcher at the University of Virginia I have been looking into the use and adoption of http-only cookies. My advisor is professor David Evans.
We were surprised to discover that your site seems to not use http- only cookies, even for cookies that contain authentication information. Even if the cookies are SSL-only, but by itself this does not provide the same protection tagging the cookies as http-only would (for example, they could still be stolen by a XSS attack). So far as we could tell from some simple dynamic experiments, there is no reason why your site's cookies are not http-only (that is, the client-side JS code does not appear to use the cookie contents in any way, and we've tried accessing your site with a proxy that makes all the cookies http- only and everything seems to work fine). So, as far as I understand it, there are significant security benefits and no drawbacks (perhaps except for a few extra bytes in the cookie) to making all the cookies http-only. Is there some good reason we're missing why you don't do this? Best, --- Yuchen ======================================= Yuchen Zhou yz...@virginia.edu Graduate student at Computer Science Dept. University of Virginia
