Geek Answers Handbook

Why are HTTPOnly Cookies configured incorrectly in IE9?

I installed the ColdFusion application to set the HTTPOnly cookie using the code below (from http://www.petefreitag.com/item/764.cfm ):

<cfcomponent output="false"> <cfscript> THIS.Name = "MyCFApp"; THIS.SessionManagement = true; THIS.SetClientCookies = false; THIS.SessionTimeout = CreateTimeSpan(0, 3, 0, 0); THIS.ApplicationTimeout = CreateTimeSpan(0, 8, 0, 0); </cfscript> <cffunction name="onSessionStart" returntype="Void" output="false"> <cfheader name="Set-Cookie" value="CFID=#SESSION.CFID#;path=/;HTTPOnly;#APPLICATION.SECURE_COOKIES#;" /> <cfheader name="Set-Cookie" value="CFTOKEN=#SESSION.CFTOKEN#;path=/;HTTPOnly;#APPLICATION.SECURE_COOKIES#;" /> <cfreturn /> </cffunction> </cfcomponent>

(FYI, APPLICATION.SECURE_COOKIES allows me to set the value for the application for secure cookies - production is SSL, so I can make security, but my local environment for developers is not SSL, so it's empty.)

When I delete my cookies / session in Google Chrome and reload the page, I can see the Set-Cookie response headers in the debugger:

Google Chrome Debugger - Headers

When I check the cookies in the debugger, they are marked as HTTPOnly:

Google Chrome Debugger - Cookies

When I do the same in IE9, I see Set-Cookie headers in the debugger:

IE9 - Headers

But for the same request, cookies are visible in the debugger:

IE9 - Cookies

When I reload in IE9, the cookies are visible but not marked as HTTPOnly:

enter image description here

What is going on here with IE9? How can I allow this to set HTTPOnly Cookies correctly?

+6
source share
1 answer

moving forward from the comments

I believe that there was a problem with the developer tools in IE8 that would not display cookies with the HTTPOnly flag. This may still be a problem with IE9, but I could not confirm.

When I reload in IE9, the cookies are visible but not marked as HTTPOnly:

enter image description here

Cookies that you see in the developer tools after rebooting IE9 are sent by your browser to the server. Notice the Sent in the “Direction” column of the screenshot. That is why it does not display the HTTPOnly flag as sent. It does not make any difference to the server. The Direction column will show Received for cookies sent from the server.

How can I confirm that my server sets HTTPOnly cookies in IE?

enter image description here

If you look at the screenshot that you shared with IE9 with the response headers, you can see the HTTPOnly flag at the end of both Set-Cookie lines. This indicates that the server sent it to the browser. It is the browser that must respect (or not) this flag. I’m afraid that you are dealing with a “design problem” with developer tools on an older version of Internet Explorer. NOTE. This is only a problem with developer tools, not HTTPOnly flag browser support.

One easy way to check if your browser complies with your HTTPOnly flag is to enter the following into the address bar.

 javascript:alert(document.cookie)

This will display a window with all cookies currently available for javascript. Any cookies with the HTTPOnly flag should display NOT .


Here is one link I found - View HttpOnly cookies in Internet Explorer

+4
source

More articles:


All Articles