Menu
I have setup my ColdFusion application to set HTTPOnly cookies using the code below (from http://www.petefreitag.com/item/764.cfm):
<cfcomponent output="false">
<cfscript>
THIS.Name = "MyCFApp";
THIS.SessionManagement = true;
THIS.SetClientCookies = false;
THIS.SessionTimeout = CreateTimeSpan(0, 3, 0, 0);
THIS.ApplicationTimeout = CreateTimeSpan(0, 8, 0, 0);
</cfscript>
<cffunction name="onSessionStart" returntype="Void" output="false">
<cfheader
name="Set-Cookie"
value="CFID=#SESSION.CFID#;path=/;HTTPOnly;#APPLICATION.SECURE_COOKIES#;" />
<cfheader
name="Set-Cookie"
value="CFTOKEN=#SESSION.CFTOKEN#;path=/;HTTPOnly;#APPLICATION.SECURE_COOKIES#;" />
<cfreturn />
</cffunction>
</cfcomponent>
(FYI, APPLICATION.SECURE_COOKIES allows me to set an application-specific value for secure cookies - production is SSL, so I can do secure, but my local dev environment is not SSL, so this is empty.)
When I clear my cookies/session in Google Chrome, and reload the page, I can see the Set-Cookie response headers in the debugger:
When I inspect the cookies in the debugger, they are flagged as HTTPOnly:
When I do the same in IE9, I can see the Set-Cookie headers in the debugger:
But, for the same request, the cookies are visible in the debugger:
When I reload in IE9, the cookies are visible, but not flagged as HTTPOnly:
What is going on here with IE9? How can I resolve this to properly set HTTPOnly Cookies?
850
Check out the OPTIONS response header ACCESS-CONTROL-ALLOW-CREDENTIAL whether it is set to true . If the server doesn't allow credentials being sent along, the browser will just not attach cookies and authorization headers. So this could be another reason why the cookies are missing in the POST cross-site request.
Use the HttpOnly attribute to prevent access to cookie values via JavaScript. Cookies that are used for sensitive information (such as indicating authentication) should have a short lifetime, with the SameSite attribute set to Strict or Lax .
promoted from the comments
I believe there was an issue with the developer tools in IE8 that would not display cookies with the HTTPOnly flag. This may still be an issue with IE9 but I have not been able to confirm.
When I reload in IE9, the cookies are visible, but not flagged as HTTPOnly:
The cookies that you are seeing in the developer tools after reloading IE9 are being sent by your browser to the server. Notice the Sent in the Direction column of the screenshot. This is also why it does not show the HTTPOnly flag as being sent. It has no meaning for the server. The Direction column will show Received for cookies sent from the server.
how can I confirm that my server is setting HTTPOnly cookies in IE?
If you look at the screenshot that you shared from IE9 showing the Response Headers, at the end of both Set-Cookie lines you can see the HTTPOnly flag. That shows that the server sent it to the browser. It is then up to the browser to respect (or not) that flag. I'm afraid you are dealing with a "working as designed" issue with the developer tools on an old version of Internet Explorer. NOTE - this is only an issue with the developer tools, not the browser's support of the HTTPOnly flag.
One easy way to check if the browser is respecting your HTTPOnly flag is to type the following in the address bar.
javascript:alert(document.cookie)
This will display a window with all of the cookies currently available to javascript. Any cookies with the HTTPOnly flag should NOT be displayed.
Here is one reference that I found - View HttpOnly session cookies in Internet Explorer
87
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
