Why Aren't HTTP-only Cookies More Widely Deployed?

Yuchen Zhou and David Evans

University of Virginia

Web 2.0 Security and Privacy (W2SP 2010)

HTTP-only cookie deployment timeline

  • Introduction

    HTTP-only cookies were introduced eight years ago as a simple way to prevent cookie-stealing through cross-site scripting attacks. Adopting HTTP-only cookies seems to be an easy task with no significant costs or drawbacks, but many major websites still do not use HTTP-only cookies. This paper reports on a survey of HTTP-only cookie use in popular websites, and considers reasons why HTTP-only cookies are not yet more widely deployed.

  • Paper

    Full paper (5 pages): PDF