Why Aren't HTTP-only Cookies More Widely Deployed?

Yuchen Zhou and David Evans
Web 2.0 Security and Privacy (W2SP)
Oakland, CA, 20 May 2010.

Abstract

HTTP-only cookies were introduced eight years ago as a simple way to prevent cookie-stealing through cross-site scripting attacks. Adopting HTTP-only cookies seems to be an easy task with no significant costs or drawbacks, but many major websites still do not use HTTP-only cookies. This paper reports on a survey of HTTP-only cookie use in popular websites, and considers reasons why HTTP-only cookies are not yet more widely deployed.

Keywords: HTTP-only, cookies, web application security, adoption of security technologies

Paper

Full paper (5 pages): [PDF]
David Evans
University of Virginia
Department of Computer Science
 evans@virginia.edu