Hacker News new | ask | show | jobs
by ddlsmurf 175 days ago
if you set the cookier header right (definitely not always the case), this is true, but the javascript can still send requests that will have that cookie included, effectively still letting the hacker use the session as the logged in user
1 comments
collinmanderson 174 days ago
with http-only they can't _steal_ the cookie, but they can still _use_ the cookie. It reduces the impact but doesn't fully solve it.
link