Skip to main content
A
AppDeveloper-Sp9Jq0
Inspiring
January 8, 2010
Answered

HTTPOnly NOT working

  • January 8, 2010
  • 2 replies
  • 1316 views

Hi,

I have code in the onSessionStart event that prevents JavaScript from accessing the session cookies thru the use of "HTTPOnly" attribute in the <cfheader> tag, and everything's working.  But once I started adding code that ends the session when the user closes the browser (see code below), the code that prevents JavaScript from accessing the session cookies NO longer works.

Does anybody have any solution for this?

Many thanks in advance.

<cffunction name="onSessionStart" output="false" returntype="void"> 
        <!--- Code that ends the session when user closes browser ---> 
        <cfcookie name="CFID" value="#session.CFID#" /> 
        <cfcookie name="CFTOKEN" value="#session.CFTOKEN#" /> 
                 
        <!--- HTTPOnly is a flag that tells the 
browser to only submit the cookie via HTTP requests, which means it cannot be access via JavaScript ---> 
        <cfheader name="Set-Cookie" value="CFID=#session.CFID#;HTTPOnly"> 
        <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;HTTPOnly"> 
 
       <cfreturn /> 
</cffunction>
    This topic has been closed for replies.
    Correct answer BKBK
    Part of the Application.cfc
    <cfcomponent>
    <!--- Ensure Coldfusion wont set cookies automatically. 
    They will only be set manually in onSessionStart. --->
    <cfset this.setClientCookies="no">
    <cffunction name="onSessionStart" output="false" returntype="void"> 
        <cfif isDefined("cookie.CFID")>
            <!--- Then these are previous cookies that need to be deleted --->
            <cfcookie Name="CFID" Value="#cookie.CFID#">
            <cfcookie Name="CFTOKEN" Value="#cookie.CFTOKEN#">
        <cfelse>
            <!--- Create cookies manually --->
            <!--- Code that ends the session when user closes browser --->
            <cflock Scope="Session" Type="Readonly" Timeout="5">
                <cfcookie Name="CFID" Value="#Session.CFID#">
                <cfcookie Name="CFTOKEN" Value="#Session.CFTOKEN#">
            </cflock>
        </cfif> 
                     
            <!--- HTTPOnly is a flag that tells the browser to only submit 
              the cookie via HTTP requests, which means it cannot be access 
             via JavaScript ---> 
            <cfheader name="Set-Cookie" value="CFID=#session.CFID#;HTTPOnly"> 
            <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;HTTPOnly"> 
     
           <!--- onSessionStart is a void method, so don't use cfreturn ---> 
    </cffunction>
    </cfcomponent>
    2 replies
    BKBK
    Community Expert
    BKBKCommunity ExpertCorrect answer
    Community Expert
    January 10, 2010
    Part of the Application.cfc
    <cfcomponent>
    <!--- Ensure Coldfusion wont set cookies automatically. 
    They will only be set manually in onSessionStart. --->
    <cfset this.setClientCookies="no">
    <cffunction name="onSessionStart" output="false" returntype="void"> 
        <cfif isDefined("cookie.CFID")>
            <!--- Then these are previous cookies that need to be deleted --->
            <cfcookie Name="CFID" Value="#cookie.CFID#">
            <cfcookie Name="CFTOKEN" Value="#cookie.CFTOKEN#">
        <cfelse>
            <!--- Create cookies manually --->
            <!--- Code that ends the session when user closes browser --->
            <cflock Scope="Session" Type="Readonly" Timeout="5">
                <cfcookie Name="CFID" Value="#Session.CFID#">
                <cfcookie Name="CFTOKEN" Value="#Session.CFTOKEN#">
            </cflock>
        </cfif> 
                     
            <!--- HTTPOnly is a flag that tells the browser to only submit 
              the cookie via HTTP requests, which means it cannot be access 
             via JavaScript ---> 
            <cfheader name="Set-Cookie" value="CFID=#session.CFID#;HTTPOnly"> 
            <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;HTTPOnly"> 
     
           <!--- onSessionStart is a void method, so don't use cfreturn ---> 
    </cffunction>
    </cfcomponent>
    D
    Daverms
    Inspiring
    January 8, 2010
    AppDeveloper,
    Why can't you turn on "Enable J2EE Session Management" through which you can achieve the same thing (i.e, making the session to expire when the user closes a browser window)?.
    A
    AppDeveloper-Sp9Jq0Author
    Inspiring
    January 8, 2010
    Daverms,
    Unfortunately, my company does not allow me to use J2EE Session Management. Any other solution?
    Many thanks.
    D
    Daverms
    Inspiring
    January 8, 2010
    Please follow this blog, and see if anything help you...
    http://www.bennadel.com/index.cfm?dax=blog:1631.view
    
        
                                                
    
        
    
    
    

            
    
                                        
    
            
                        
    
                                                                                                            
            

    

    

    

        
    
                    
    
    
    
    

    

    
    
    

                                        
    
                                                        
    
            
        
    
    

    

    

                                    
    Terms & ConditionsAccessibility statement
    
            
        

    

        
            
    
        
    
        



        
        
            


        
    

        
        
        
        
                                                        

                            
    
    
                    
    
  
    
    
    
      
        
      
    
    
    
    
      
        Using the community
      
      
        Terms of use
      
      
        Privacy
      
      
        Cookie preferences
      
      
        Do not sell or share my personal information
      
      
        ad choicesAdChoices