• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 301
  • Last Modified:

Need help with HTTPOnly attribute...


I have code in the onSessionStart event that prevents JavaScript from accessing the session cookies thru the use of "HTTPOnly" attribute in the <cfheader> tag, and everything's working.  But once I started adding code that ends the session when the user closes the browser (see code below), the code that prevents JavaScript from accessing the session cookies NO longer works.

Can someone please tell me how can I resolve this?

Many thanks in advance.

<cffunction name="onSessionStart" output="false" returntype="void">
		<!--- Code that ends the session when user closes browser --->
		<cfcookie name="CFID" value="#session.CFID#" />
		<cfcookie name="CFTOKEN" value="#session.CFTOKEN#" />
                  <!--- HTTPOnly is a flag that tells the
browser to only submit the cookie via HTTP requests, which means it cannot be access via JavaScript --->
		<cfheader name="Set-Cookie" value="CFID=#session.CFID#;HTTPOnly">
		<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;HTTPOnly">

       <cfreturn />

Open in new window

1 Solution
you cannot, i don't believe, end a session when browser is closed
many before you have asked this question ...

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now