Request to use HttpOnly Cookies for Auth0 Authentication

Dear Auth0 Support Team,

I am writing to inquire about the possibility of using HttpOnly cookies for authentication in my application that uses Auth0. I understand that Auth0 currently uses a combination of both HttpOnly and Secure cookies for authentication and session management.

I am interested in using HttpOnly cookies as an additional layer of security to prevent cross-site scripting (XSS) attacks and to be compliant with certain regulations. I understand that HttpOnly cookies are only accessible via the HTTP protocol and cannot be accessed or modified by client-side scripts.

I would appreciate it if you could let me know if it is possible to use HttpOnly cookies instead of the current Secure cookies for authentication in my application. If so, could you please provide me with any necessary steps or guidelines for implementing this change?

Thank you for your time and assistance.

Best regards,
Avi Cohen


Hey there @Insighting welcome back!

Setting cookies to HttpOnly would prevent JavaScript from reading the value. If you are building a SPA application for example, JS must have access to these values.

If this is a requirement for your application you may need to move your authentication to a backend which would allow for the use of HttpOnly cookies and sessions as needed.

Hope this helps!

Thank you Tyf,

We are currently using Auth0 for authentication in our application, and we want to ensure that our users’ data is as secure as possible. can you kindly help us with additional info:
What information do these security cookies typically hold?
What are the security risks in case these cookies are hacked?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.