Chrome developer tools > resources > cookies > http column, does a checkmark here indicate HttpOnly cookie?
Yes. Enter document.cookie
in the console, and you'll see that none of the checked cookies are visible.
HTTP = HttpOnly flag, Secure = secure flag.
Yes. Right click on your page or press F12
button. This will open developers tools window. Go to application tab. It'll show as follow :-
Now, typing document.cookie on the tab, you'll see only csrf token being shown.
To specify session cookies to be httpCookie by default, set 'useHttpOnly'
attribute in context.xml in tomcat, for java web application. For more information, refer to http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes
So 2 things .
1) HTTP only cookie
this name is a bit misleading as we can send HTTPOnly cookie over HTTPS and it works perfectly fine. Main characteristics of HTTP Only
cookie is it can't be accessed using JavaScript . In-fact You can't even manually edit this in Chrome's Application
tab.
2) So how you can edit HTTP Only cookie ? In chrome You can use extension to edit cookie while development . In production mode there is no way you can adultrate this without man in the middle
attack on HTTP connection.