[ACCEPTED]-Logout with HttpOnly cookie-cookie-httponly

Accepted answer
Score: 40

If by logging out you mean removing the 16 session cookie, then no, you cannot remove 15 HttpOnly cookies from Javascript. It is, however, easy 14 to set up two cookies, one HttpOnly and one 13 insecure, such that only a combination of 12 the two is a valid session key. Removing 11 either cookie would destroy the session.

If 10 your service is sensitive, it does make 9 sense to handle all realistic threat scenarios, and 8 this one is pretty realistic.

Setting up 7 two cookies, one of which is HttpOnly, is 6 actually common in the standard CSRF prevention 5 technique. I have not seen it in your specific 4 scenario but it very similar to the anti-CSRF 3 case, and looks like an obvious and easy 2 application of the general twoo-cookies 1 idea.

More Related questions