Firefox Now Supports HttpOnly Cookies
You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1. Firefox 220.127.116.11, which was released just the other day, now supports it.
When a cookie is
To set a
HttpOnly cookie with ColdFusion you need to use
cfcookie doesn't yet support
<cfheader name="Set-Cookie" value="safe=maybe;HttpOnly">
It would be nice if the
cfcookie tag simply had an attribute HttpOnly=true/false. Go make a wish. While you are at it it would also be nice to have a setting to make the
jsessionid cookies httpOnly, or secure cookies.
Update: CF9 added a httponly setting to the CFCookie tag. And CF 9.0.1 adds HttpOnly to CFID and CFTOKEN cookies automatically.
Here's a MSDN doc with some additional info about
Firefox's implementation of
HttpOnly however still leaves open a big hole, as RSnake points out, you can do an
XMLHttpRequest to get the cookie values from the HTTP response headers. When I test in IE 6 (RSnake's example doesn't work in IE), I don't have access to the
Set-Cookie from the AJAX HTTP response header. +1 for MSIE.
Like this? Follow me ↯Tweet Follow @pfreitag
You might also like:
- Client Variable Cookie CFGLOBALS Includes Session Ids - July 14, 2011
- Setting up HTTPOnly Session Cookies for ColdFusion - September 13, 2010
- Firefox 3.5 Introduces Origin Header, Security Features - June 30, 2009
- AJAX on IE - back to the IFRAME - August 17, 2005
- Sessions don't work in Chrome but do in IE - February 6, 2019
- SameSite Cookies with IIS - May 14, 2018
- Firefox Aurora now Supports Content Security Policy 1.0 - May 31, 2013
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013