I have setup my ColdFusion application to set HTTPOnly cookies using the code below (from http://www.petefreitag.com/item/764.cfm):
<cfcomponent output="false">
<cfscript>
THIS.Name = "MyCFApp";
THIS.SessionManagement = true;
THIS.SetClientCookies = false;
THIS.SessionTimeout = CreateTimeSpan(0, 3, 0, 0);
THIS.ApplicationTimeout = CreateTimeSpan(0, 8, 0, 0);
</cfscript>
<cffunction name="onSessionStart" returntype="Void" output="false">
<cfheader
name="Set-Cookie"
value="CFID=#SESSION.CFID#;path=/;HTTPOnly;#APPLICATION.SECURE_COOKIES#;" />
<cfheader
name="Set-Cookie"
value="CFTOKEN=#SESSION.CFTOKEN#;path=/;HTTPOnly;#APPLICATION.SECURE_COOKIES#;" />
<cfreturn />
</cffunction>
</cfcomponent>
(FYI, APPLICATION.SECURE_COOKIES
allows me to set an application-specific value for secure cookies - production is SSL, so I can do secure, but my local dev environment is not SSL, so this is empty.)
When I clear my cookies/session in Google Chrome, and reload the page, I can see the Set-Cookie
response headers in the debugger:
When I inspect the cookies in the debugger, they are flagged as HTTPOnly:
When I do the same in IE9, I can see the Set-Cookie
headers in the debugger:
But, for the same request, the cookies are visible in the debugger:
When I reload in IE9, the cookies are visible, but not flagged as HTTPOnly:
What is going on here with IE9? How can I resolve this to properly set HTTPOnly Cookies?
promoted from the comments
I believe there was an issue with the developer tools in IE8 that would not display cookies with the HTTPOnly flag. This may still be an issue with IE9 but I have not been able to confirm.
When I reload in IE9, the cookies are visible, but not flagged as HTTPOnly:
The cookies that you are seeing in the developer tools after reloading IE9 are being sent by your browser to the server. Notice the Sent in the Direction column of the screenshot. This is also why it does not show the HTTPOnly flag as being sent. It has no meaning for the server. The Direction column will show Received for cookies sent from the server.
how can I confirm that my server is setting HTTPOnly cookies in IE?
If you look at the screenshot that you shared from IE9 showing the Response Headers, at the end of both Set-Cookie lines you can see the HTTPOnly flag. That shows that the server sent it to the browser. It is then up to the browser to respect (or not) that flag. I'm afraid you are dealing with a "working as designed" issue with the developer tools on an old version of Internet Explorer. NOTE - this is only an issue with the developer tools, not the browser's support of the HTTPOnly flag.
One easy way to check if the browser is respecting your HTTPOnly flag is to type the following in the address bar.
javascript:alert(document.cookie)
This will display a window with all of the cookies currently available to javascript. Any cookies with the HTTPOnly flag should NOT be displayed.
Here is one reference that I found - View HttpOnly session cookies in Internet Explorer