Do you work with cookies? Worried about security?

Of course, to the question in the subject, I'm sure you are saying: “ah-doyyy...“ And to that, I say that “ah-doyyy“ is an expression that isn't used nearly enough these days.

Anyway, if you are working with cookies, then you should read this article on MSDN about “HTTP-only” cookie support in IE6 SP1. These cookies are not accessible programmatically, which vastly reduces the risk of cross-site scripting attacks being able to steal the cookie.

We use HTTPOnly on the cookies we send down when using forms-based authentication in Exchange 2003. Because the users' credentials are stored in a cookie (encrypted and secured to the best of our abilities (aka “up the wazoo“), the algorithms were reviewed multiple times by the security experts at Microsoft), the risk of cross-site scripting stealing a cookie is a worrisome one. If clients are using IE6 SP1, they will have this extra layer of protection in place.

Note: If you decide to key the sending of HTTPOnly cookies off of the browser version (or key the entire feature for which security is important) rather than sending HTTPOnly all of the time, see the note at the bottom - IE6 and IE6SP1 have the same user-agent, so you need to use script to determine the minor version number.