[ic] HttpOnly cookie flag

Bill Carr bill at bottlenose-wine.com
Wed Feb 2 15:14:32 UTC 2011


Hi ICers,

Is there any way in Interchange to set the HttpOnly flag on session cookies?

After installing mod_security on my Apache web servers I have started getting warnings about this flag not being set on session cookies. Microsoft introduced the HttpOnly flag and it is now accepted by all major browsers. When set the cookie data is not accessible by javascript for example via document.cookie. This can help mitigate XSS attacks.
 
Bill Carr 
Bottlenose - Wine & Spirits eBusiness Specialists 
(413) 584-0400 
http://www.bottlenose-wine.com 



More information about the interchange-users mailing list