Why doesn’t document.cookie show all the cookie for the site?

by

From http://en.wikipedia.org/wiki/HTTP_cookie:

Cookies are not directly visible to
client-side programs such as
JavaScript if they have been sent with
the HttpOnly flag. From the point of
view of the server, the only
difference with respect of the normal
case is that the set-cookie header
line is added a new field containing
the string `HttpOnly’:

Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net; HttpOnly

When the browser receives such a
cookie, it is supposed to use it as
usual in the following HTTP exchanges,
but not to make it visible to
client-side scripts.
The HttpOnly flag is not part of any standard, and is not implemented in all browsers.

Update from 2017: a lot of time had passed since 2009, and HttpOnly header flag is became a standard, defined in the section 5.2.6 of RFC6265, with the storage semantics described in the same document (look for “http-only-flag” throughout the RFC text).

There is no way to access anything about the HttpOnly cookies from “non-HTTP” APIs, e.g. JavaScript. By design, neither reading, nor writing such cookies is possible.

More Related Contents:

  1. How do you increment a cookie value?
  2. How to delete a cookie?
  3. Get cookie by name
  4. Clearing all cookies with JavaScript
  5. How to set a cookie for another domain
  6. What is the shortest function for reading a cookie by name in JavaScript?
  7. Javascript getCookie functions
  8. Setting cross-domain cookies in Safari
  9. What are cookies and sessions, and how do they relate to each other?
  10. SameSite warning Chrome 77
  11. How do I create and read a value from cookie with javascript?
  12. Check if third-party cookies are enabled
  13. How can I set a cookie with expire time?
  14. Javascript Cookie with no expiration date
  15. How to expire a cookie in 30 minutes using jQuery?
  16. can i be notified of cookie changes in client side javascript
  17. jQuery $.cookie is not a function
  18. Pure Javascript – store object in cookie
  19. CORS cookie credentials from mobile WebView loaded locally with file://
  20. Javascript document.cookie always returns empty string
  21. How can I handle browser tab close event in Angular? Only close, not refresh
  22. How to use cookie inside `getServerSideProps` method in Next.js?
  23. Best way to store small UI user preferences in web app? [closed]
  24. How do I edit PHP variable with JavaScript/jQuery?
  25. Cookies Only set in Chrome – not set in Safari, Mobile Chrome, or Mobile Safari
  26. Set-Cookie in HTTP header is ignored with AngularJS
  27. Why cookies and set-cookie headers can’t be set while making xmlhttprequest using setRequestHeader?
  28. Getting setting cookies on different domains, with JavaScript or other
  29. How to modify Cookie from Ajax call
  30. How to update and delete a cookie?

Leave a Comment