Does setting httponly prevent stealing a session using XSS?
In general, if httponly
is set on its token then an XSS attack shouldn't be able to retrieve a session token. Modulo past bugs in browsers and plugins, and server misconfiguration (eg responding to HTTP TRACE).
But it's not worth much. You can stop XSS from getting hold of the token, but an XSS attack still has full control of the session on the user's machine: it can force the user to do pretty much anything on the site, or falsify the user's interface to the site (eg to phish for site credentials). See BeEF for an example of what an attacker can achieve with a compromised session: you've pretty much lost already.
Not setting httponly
at best makes life slightly easier for the attacker in that they can access the session from their own machine in their own time, rather than being limited by the amount of time the user keeps their browser window open. It's worth having httponly
where possible, but it's a mild mitigation that does not magically protect you from the effects of XSS.
The HttpOnly feature can be bypassed in certain versions of some browsers and web servers.
More data (natexim)
More data (google)
XSS attacks are so flexible that they can still be executed if, for instance, the HttpOnly feature has been used to hide the cookie from JS and ETC .
Other possible scenarios include bypassing CSRF tokens, exploiting browser weaknesses, spoofing internal web pages, etc.
If done correctly, HttpOnly prevents an attacker stealing the cookie. However, they can still perform arbitrary web requests impersonating the victim users, and extract the responses. For example, BEEF has a module to do this.
In other words, HttpOnly makes things harder for an attacker, but does not stop a skilled attacker.
Also, as others have pointed out, there are various flaws that can allow an attacker to extract an HttpOnly cookie.
Bottom line - all XSS is potentially serious and you need to fix the XSS flaws.