Need help with HTTPOnly attribute...
Hi,
I have code in the onSessionStart event that prevents JavaScript from accessing the session cookies thru the use of "HTTPOnly" attribute in the <cfheader> tag, and everything's working. But once I started adding code that ends the session when the user closes the browser (see code below), the code that prevents JavaScript from accessing the session cookies NO longer works.
Can someone please tell me how can I resolve this?
Many thanks in advance.
I have code in the onSessionStart event that prevents JavaScript from accessing the session cookies thru the use of "HTTPOnly" attribute in the <cfheader> tag, and everything's working. But once I started adding code that ends the session when the user closes the browser (see code below), the code that prevents JavaScript from accessing the session cookies NO longer works.
Can someone please tell me how can I resolve this?
Many thanks in advance.
<cffunction name="onSessionStart" output="false" returntype="void">
<!--- Code that ends the session when user closes browser --->
<cfcookie name="CFID" value="#session.CFID#" />
<cfcookie name="CFTOKEN" value="#session.CFTOKEN#" />
<!--- HTTPOnly is a flag that tells the
browser to only submit the cookie via HTTP requests, which means it cannot be access via JavaScript --->
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;HTTPOnly">
<cfreturn />
</cffunction>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.