Why Aren't HTTP-only Cookies More Widely Deployed?
Yuchen Zhou and David Evans
Web 2.0 Security and Privacy
Oakland, CA, 20 May 2010.
HTTP-only cookies were introduced eight years ago as a simple way to
prevent cookie-stealing through cross-site scripting attacks. Adopting
HTTP-only cookies seems to be an easy task with no significant costs or
drawbacks, but many major websites still do not use HTTP-only
cookies. This paper reports on a survey of HTTP-only cookie use in
popular websites, and considers reasons why HTTP-only cookies are not
yet more widely deployed.
Keywords: HTTP-only, cookies, web application security,
adoption of security technologies
Full paper (5 pages): [PDF