I'm managing a server and have been looking into setting HttpOnly for my cookies.
While I don't have any cookies which are interacted with on both the server and client side, would enabling this option for all cookies prevent client-side generated cookies from being accessed on subsequent page loads?
To clarify, this would be set as a server option.
I'm using Apache so this would be something like:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
in the Apache config.
Additionally, the question is based on using cookies for data storage. LocalStorage is outside of the question's context, even if it is a superior method to storing data purely used on the client side.
Would enabling this option for all cookies prevent client-side generated cookies from being accessed on subsequent page loads?
Yes. JS cannot access the values of cookies that the server response tagged with HttpOnly, and it cannot write new values to them either.
I haven't found out what exactly happens when JS tries to write to one nonetheless, browsers seem to shadow the http-sent one with a locally stored one that is only accessible by the clientside script. I wouldn't rely on this behaviour though, the write might simply be ignored. In older browsers there seem to have been bugs where the http-only cookie was written to.
However, there is no way to enable HttpOnly for all cookies. You have to set it on every exchanged cookie individually, so this option will be only enabled for those cookies that the server does sent to the client with that flag.
So if you are configuring your Apache to enable that flag on all outgoing cookies, it still depends on whether your server application does mirror all the cookies sent by the client. Usually it would not, and send only the cookies it does want to set (for itself, to be used on the server).