HTTPOnly and Ember-Simple-Auth


#1

I’m trying to figure out if there is a solution to an issue with cookies.

A client used a one-size-fits-all WAS scanner to test an Ember app developed at my company. (but not by me. I’ve actually never used Ember before) One item that triggered an alert is that the cookie holding the JWT data for ember-simple-auth is not flagged as HTTPonly.

By my understanding, that would make the cookie data unavailable to the client side javascript so this wouldn’t even be possible for an ember application.

Is that a true assumption (httponly will kill ember) or is there a way to set that flag when the cookie is established?

I’m posting here because I think its a fundamental Ember question and not so much a simple-auth thing… if this isn’t the place, please tell me where I should go to ask.

Thanks!


#2

Yes it will kill ember’s access to the cookie because it is javascript. See also:

http://stackoverflow.com/questions/14691654/set-a-cookie-to-httponly-via-javascript


#3

Thanks for confirming!