[Openid-specs-ab] Issue #873: session 4.1. Can we use opbs with http (not httponly) (openid/connect)

Phuong Le issues-reply at bitbucket.org
Tue Sep 17 15:53:51 UTC 2013


New issue 873: session 4.1. Can we use opbs with http (not httponly)
https://bitbucket.org/openid/connect/issue/873/session-41-can-we-use-opbs-with-http-not

Phuong Le:

Regarding to the spec on [openid-connect-session-1_0-15.html](http://openid.net/specs/openid-connect-session-1_0-15.html), it says "The OP iframe has access to Browser state at the OP (in a cookie or in HTML5 storage)". 

I would like to confirm whether it is possible to access that cookie from javascript? My concern is about the security issue. Currently, all of the cookies used on my application is set as httponly cookies. 

Responsible: mbj


More information about the Openid-specs-ab mailing list