Why Aren't HTTP-Only Cookies More Widely Deployed?

HTTP-only cookies were introduced eight years ago as a simple way to prevent cookie-stealing through cross-site scripting attacks. Adopting HTTP-only cookies seems to be an easy task with no significant costs or drawbacks, but many major websites still do not use HTTP-only cookies. This paper reports on a survey of HTTP-only cookie use in popular websites, and considers reasons why HTTP-only cookies are not yet more widely deployed. HTTP cookies are used as authentication tokens by nearly all websites that require user credentials. Cookies provide a way for websites to manage persistent state within the stateless HTTP protocol since browsers send cookies back to the server as part of the HTTP request header.