Firefox Now Supports HttpOnly Cookies
You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1. Firefox 188.8.131.52, which was released just the other day, now supports it.
When a cookie is
To set a
HttpOnly cookie with ColdFusion you need to use
cfcookie doesn't yet support
<cfheader name="Set-Cookie" value="safe=maybe;HttpOnly">
It would be nice if the
cfcookie tag simply had an attribute HttpOnly=true/false. Go make a wish. While you are at it it would also be nice to have a setting to make the
jsessionid cookies httpOnly, or secure cookies.
Update: CF9 added a httponly setting to the CFCookie tag. And CF 9.0.1 adds HttpOnly to CFID and CFTOKEN cookies automatically.
Here's a MSDN doc with some additional info about
Firefox's implementation of
HttpOnly however still leaves open a big hole, as RSnake points out, you can do an
XMLHttpRequest to get the cookie values from the HTTP response headers. When I test in IE 6 (RSnake's example doesn't work in IE), I don't have access to the
Set-Cookie from the AJAX HTTP response header. +1 for MSIE.
- Client Variable Cookie CFGLOBALS Includes Session Ids - July 14, 2011
- Setting up HTTPOnly Session Cookies for ColdFusion - September 13, 2010
- Firefox 3.5 Introduces Origin Header, Security Features - June 30, 2009
- AJAX on IE - back to the IFRAME - August 17, 2005
- Sessions don't work in Chrome but do in IE - February 6, 2019
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained
- How to Resolve Java HTTPS Exceptions