if you set the cookier header right (definitely not always the case), this is tr... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		ddlsmurf 89 days ago \| parent \| context \| favorite \| on: We pwned X, Vercel, Cursor, and Discord through a ... if you set the cookier header right (definitely not always the case), this is true, but the javascript can still send requests that will have that cookie included, effectively still letting the hacker use the session as the logged in user

collinmanderson 89 days ago [–]

with http-only they can't _steal_ the cookie, but they can still _use_ the cookie. It reduces the impact but doesn't fully solve it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact