Forum Discussion
hooleylist
Jun 01, 2012Cirrostratus
Hi Chris,
As you said, HttpOnly is an attempt to mitigate XSS. Encrypting cookies mitigates cookie value tampering and possibly information disclosure if you're using cookie values with meaningful data (as opposed to session IDs, etc). But encryption does nothing to prevent use of another user's cookies by a malicious user.
There is a fairly significant performance hit with encrypting cookie values so I'd only use it if you're concerned about information disclosure or cookie tampering.
Aaron